y6hFaSSKrSSKrSSKrSSKJrJrJr SSKJr SSK J r SSK J r SSK JrJr SSKJr SSKJr SSKrSS KJr SS KJrJr SSKrSSKrSS KJr SSKrSS KJr SSK"J#r# SSK$J%r% SSK&J'r' SSK(J)r) Sr*Sr+/SQr,Sr-Sr.Sr/S$Sjr0Sr1Sr2Sr3Sr4Sr5Sr6S r7S%S!jr8"S"S#\\5r9g!\ a S r\RB"S5 Nrf=f)&N) gp_pol_ext gp_applierGPOSTATE)Ldb)misc) ndr_unpack) SCOPE_SUBTREE SCOPE_BASE)system_session)get_dc_hostnamewhich)PopenPIPE)log)load_der_pkcs7_certificatesc/$N)xs B/usr/lib/python3/dist-packages/samba/gp/gp_cert_auto_enroll_ext.pyrr'sr zNpython cryptography missing pkcs7 support. Certificate chain parsing will fail)Encoding)load_der_x509_certificate)default_backend) get_strings9 -----BEGIN CERTIFICATE----- %s -----END CERTIFICATE-----zc(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider_CEP_(?P[a-zA-Z]+)/service.svc/CEP)z/etc/pki/trust/anchorsz /etc/pki/ca-trust/source/anchorsz /usr/local/share/ca-certificatesc0nUH7nUSUR5;a/XS'XSRU5 M9 UR5HnURSS9 UVs/sHo"SPM nn[ U5nUHanUR U5n[ U5[R"[U5U5- S- nXx:XaMJSn [X7US-U S9X7US-&Mc M [UR55$s snf)zGroup and Sort End Point Information. [MS-CAESO] 4.4.5.3.2.3 In this step autoenrollment processes the end point information by grouping it by CEP ID and sorting in the order with which it will use the end point to access the CEP information. PolicyIDc US$)NCostres r6group_and_sort_end_point_information..Os1V9r)keyr c,USS:XagUSS:Xagg)N AuthFlagsrr&rr!s r sort_auth7group_and_sort_end_point_information..sort_auth^s#[>S({^s*r) keysappendvaluessortsetindexlenoperatorindexOfreversedsortedlist) end_point_informationend_point_groupsr"end_point_group cost_listcostscostijr*s r$group_and_sort_end_point_informationr@;s " Z= 0 5 5 7 7.0 z] +:'..q1# ,224 !45)881vY 8ID%AIx//0CTJJ1LAv  &,Oac,B09&;Oac "'5:  '') **/9s'Dc0nSnUHsnURRU5(dM%URRUS5nXAR5;a0X'URXUR 'Mu UR 5Hn[R"[US5nU(aRSURS5RSS5-nXES'URS5US 'URS 5US 'MzUSR5S :wdMS US0n[R"S U5 0s $ [UR 55nU$)zObtain End Point Information. [MS-CAESO] 4.4.5.3.2.2 In this step autoenrollment initializes the CertificateEnrollmentPolicyEndPoints table. z7Software\Policies\Microsoft\Cryptography\PolicyServers\URLz%s-CAserver.-namehostnameauthzldap:endpointzFailed to parse the endpoint)keyname startswithreplacer,data valuenamer.rematch endpoint_regrouplowerrerrorr@)entriesr8sectionr"rGcamedatas robtain_end_point_informationr[ks?LG yy##G,, yy  "- 113 3*, ! '3466#AKK0 $**, HH["U) , QWWX.66sC@@DvJWWX.BzNBvJ Y__ ' ) "U)-E II4e <I- --B-I-I-KL  rc R/nUR5nSU-n/SQnSnURU[XT5n[U5S:XaU$UH[n[ USS5[ USS5[ [ R "USS55S.nURU5 M] U$) z(Initialize CAs. [MS-CAESO] 4.4.5.3.1.2 zMCN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,%s) cACertificatecn dNSHostNamez"(objectClass=pKIEnrollmentService)rr^r_r])rGrHr])get_default_basednsearchr r2rbase64 b64encoder-) ldbresultbasedndnattrsexprresesrNs rfetch_certification_authoritiesrls F  # # %F Y[a aB 2E /D **R 4C 3x1} #BtHQK0'=(9!(<=",V-=-=b>QRS>T-U"V  d  MrcUcS/nUR5nSU-nSU-nURU[XR5n[U5S:XaSUS;a[ US5$SS/0$)NmsPKI-Minimal-Key-SizezOCN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%sz(cn=%s)r&r2048)r`rar r2dict)rdrGrhrfrgrirjs rfetch_template_attrsrqsv })*  # # %F Z]c cB t D **R 4C 3x1}1SV;CF|(6(33rc|[[R"SSUR5S[R5-$)Ns(.{64})s\1 r) cert_wraprPsubencodeDOTALL)certs rformat_root_certrxs( rvvj(DKKM1biiP PPrcx[RRS5SS/n[SSR U5S9$)NPATHz/usr/lib/certmongerz/usr/libexec/certmongerz cepces-submit:)path)osenvirongetrjoin)certmonger_dirss rfind_cepces_submitrs5zz~~f-/D02O sxx'@ AArc[5nU(d[R"S5 /$[RnSUS'[ USU-S/U[ [ S9nUR5upEURS:wa)SUR50n[R"S U5 UR5R5$) NzFailed to find cepces-submitzGET-SUPPORTED-TEMPLATESCERTMONGER_OPERATIONz --server=%sz--auth=Kerberos)envstdoutstderrrErrorz0Failed to fetch the list of supported templates.) rrrUr}r~rr communicate returncodedecodestripsplit)rD cepces_submitrpouterrrNs rget_supported_templatesrs&(M  01 **C";C }mf46GHd4 1A}}HC||q& DdK 99;   rc^[RRUSUS-5n/n[R"USSS.S9nUb#URS :XdURS S :Xa[R"S 5 S U;a[R"S5 [R"US 5n[U5nUR!["R$5n['US5n U R)U5 SSS5 UR+U5 U$URS S:Xan[UR5nUR!["R$5n['US5n U R)U5 SSS5 UR+U5 U$URS S:Xa[-UR5n [/S[1U 55Hvn XR!["R$5nUR3SS5upSXU 4-n['US5n U R)U5 SSS5 UR+U5 Mx U$[R"S5 U$![R R a [R"S5 SnGN`f=f![a [U[55nGNf=f!,(df  GN=f![a" [UR[55nGNf=f!,(df  GN=f!,(df  N=f)z$Fetch Certificate Chain from the CA.%s.crtrG GetCACert CAIdentifier) operationmessage)urlparamsz7Could not connect to Network Device Enrollment Service.Nrz Content-Typez text/htmlz2Unable to fetch root certificates (requires NDES).r]z'Installing the server certificate only.wbzapplication/x-x509-ca-certzapplication/x-x509-ca-ra-certrrEr&z%s.%d.%sz+getca: Wrong (or missing) MIME content type)r}r|rrequestsr exceptionsConnectionErrorrwarncontentheadersrb b64decoder TypeErrorr public_bytesrPEMopenwriter-rranger2rsplit)rXr trust_dir root_cert root_certsrder_certificaterw cert_datawcertsr>filename extensiondests rgetcars Y2f:(=>IJ LLS{5C*E F  yAII$ .(A[(P EF b HH> ?$..r//BCO D0A))(,,7Ii&! "'   i (yy $@@ K,QYY7D%%hll3 )T "a GGI #)$  > "&E E+AII6q#e*%A8((6D"+"2"23": Hi 88DdD!Q "   d # &  >? S    . . JK  D01@1BD D'& K,QYY8IJD K# ""!sYI)4 J&*K +K+L  L)6J#"J#&KK K(L L  L L, c~[H+n[RRU5(dM)Us $ [S$)zIReturn the global trust dir using known paths from various Linux distros.r)global_trust_dirsr}r|isdir)rs rfind_global_trust_dirrs2& 77== # # ' Q rc<[S5=(d [S5$)z0Return the command to update the CA trust store.zupdate-ca-certificateszupdate-ca-trustr rrrupdate_ca_commandrs ) * Fe4E.FFrcN^^[UU4SjTR555$)z9Return True if any key present in both dicts has changed.c3J># UHnUT;a TUTU:gOSv M g7f)FNr).0knew_dataold_datas r changed..s0&$/08m x{*F$s #)anyr,)rrs``rchangedrs# &]]_& &&rc [//S.40UD6nSUS-n[R"S5 [XU5nUSR U5 [ 5nUHn [ RRU[ RRU 55n [ R"X5 USRU 5 [R"SU <SU <35 M [!5n [R"S U -5 U b9[#U /5R%5n U S :wa[R&"S U -5 [)S 5n [+5nU GbUGb[#U SSUSSU<SUS<SU<3/[,[,S9nUR/5unn[R0"UR355 UR4S :waZUR4S:Xa[R"SUS-5 O-UR35USS.n[R&"SU5 [7US5nUGHmn[9UU5nUS<SUR35<3n[ RRUSU-5n[ RRUSU-5n[#U SSUSSUR35SUSUS US!US"S /[,[,S9nUR/5unn[R0"UR355 UR4S :waTUR4S:Xa[R"S#U-5 O*UR35US$.n[R&"S%U5 USR UU/5 US&RU5 GMp U b9[#U /5R%5n U S :wa[R&"S U -5 O[R"S'5 [:R<"U5$![a [R"S5 GM[a [R"S U5 GM[a USRU 5 GM(f=f)(z#Install the root certificate chain.)files templatesz0http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?rHz&Try to get root or server certificatesrzCreated symlink: z -> z=Failed to symlink root certificate to the admin trust anchorszZFailed to symlink root certificate to the admin trust anchors. The directory was not foundz Running %srzFailed to run %sgetcertzadd-ca-crGz-ez --server=z --auth=)rrr)zThe CA [%s] already exists)rCAz#Failed to add Certificate AuthorityrEz%s.keyrrequestz-Tz-Iz-kz-fz-grnz The template [%s] already exists)r CertificatezFailed to request certificaterzOcertmonger and cepces must be installed for certificate auto enrollment to work)rprinforextendrr}r|rbasenamesymlinkr-PermissionErrorrFileNotFoundErrorFileExistsErrorrrwaitrUrrrrdebugrrrrqjsondumps)rXrdr private_dirrIrNrrglobal_trust_dirsrcdstupdateretrrrrrsupported_templatestemplaterhnicknamekeyfilecertfiles r cert_enrollr s "2. 5" 5D ( FHH\V $% VHo""$ !8 II(F3 4IG&(M}8 7HdBvJ0=Z.$()d ,==?S #**, <<1 ||q 56 BC!$RZ@ ?F5bnE+H(h7E"$V*hoo.?@Hggll;80CDGww||Ix(/BCHw 4FX__.XtWdHU#;>!$$IIaL ##D4rcz[R"USR55R5nUR X5nUb[ R "U5O0nUb6[US5V s/sHoS<SU R5<3PM sn O/n SU 0UEn [X5(d"UR5[R:XaURXU5 Ub3[X5(d#UR5[R:wagU"U0UD6n URXU 5 gs sn f)NrGrHrEr)rbrcrurcache_get_attribute_valuerrrrcache_get_apply_staterENFORCErcache_add_attribute) rrrX applier_funcargskwargsrold_valrtrrrNs rapplygp_cert_auto_enroll_ext.applyqs$$RZ%6%6%89@@B 00A*1*=4::g&2"BYY[\fYgAhiAhA6 AHHJ7Ahi(*  )3r3 8 & &$*D*D*F(JZJZ*Z LL' 2  wx'B'B**,0@0@@ T,V,   $7js5#D8Nc UcURRS5nUcURRS5n[RR U5(d[R "USS9 [RR U5(d[R "USS9 UHMupV[U5U;dMU[U5R5HupxURXWU5 M MO UGHn U R(dMSn Sn [RRU RU 5n URU 5n U (dM_U RGHMnURU :XdMURS:XdM(UR S-(aM>UR S -S :HnUR S -S :HnUR S -S :HnU(aUR#U R$U RX45nUVs/sH5n[&R("UR+55R-5PM7 nnUR/U R$US 9 GMUR1U R$5nUR/U R$[3UR555S 9 GMP GM gs snf)Nri)modei7Software\Policies\Microsoft\Cryptography\AutoEnrollmentMACHINE/Registry.polAEPolicyr&r))keep)remove)lp cache_path private_pathr}r|rmkdirstritemsr file_sys_pathrparserVrKrOrN _gp_cert_auto_enroll_ext__enrollrGrbrcrurcleancache_get_all_attribute_valuesr7r,)rdeleted_gpo_listchanged_gpo_listrrrsettings ca_cn_encrNgporWpol_filer|pol_confr"enrollmanageretrive_pendingca_namesnca_attrss rprocess_group_policy,gp_cert_auto_enroll_ext.process_group_policys)  **73I  ''..w7Kww~~i(( HHYU +ww~~k** HH[u -.ND4yH$'/D ':'@'@'BOILL$7(C/ $C   T1ww||C$5$5x@::d+!))AyyG+ z0I66F?$!"#!4!"#!4*+&&3,#*=!'+}}SXX5=5E5E5>(MH .6(7-5)/(8(8(D(K(K(M-5%(7 JJsxxhJ? !% C CCHH M% JJsxxX]]_8MJN-*$,(7ss8q=zz#a&)B"CA"F",.?#/.2t9> $ 499d1gl.CA.FGHNNPQ :.H%e9'9#>C" 4k3Y#.0 F 4 # Y__&11*==JJtby*F=OOBvJ/("U)5EII5u=!&"Oq 5BsF9 c S[URUR5-n[U[ 5URURS9n/n[ U5n[ U5S:a$URURXUX455 U$[U5n U H0n URX[XUU5 URU S5 M2 U$)N ldap://%sr session_infor  credentialsrrG) r credsr rr r[r2r'_gp_cert_auto_enroll_ext__read_cep_datarlrrr-) rrrVrrrrdr!r8r/rXs r__enroll gp_cert_auto_enroll_ext.__enrollsODJJ@@c(8WW$**6 C01A5-BP-BrRrR-BPtDt5 W 4tDEEJJt,"&C! B;2e9+?$!9Z!/-/F6N-/vr**b0 0O1D E L L N#6N2./?@zNvr*+CD4BzNC,2EE1DAQXXZ1DEvr*;7"%&F - QD(FsI$I I r)NN) __name__ __module__ __qualname____firstlineno__rrrr$r9rrC__static_attributes__rrrrr_s.. 58(:>.O`BH&,rrr)Kerberos):r}r3rsamba.gp.gpclassrrrsambar samba.dcerpcr samba.ndrrrdr r samba.authr r rbshutilr subprocessrrrPrsamba.gp.util.loggingrstruct2cryptography.hazmat.primitives.serialization.pkcs7rModuleNotFoundErrorrU,cryptography.hazmat.primitives.serializationrcryptography.x509rcryptography.hazmat.backendsr samba.commonrrsrRrr@r[rlrqrxrrrrrrrrrrrrZs" == )%, " % 5$ B78#  9 9 .+`!>. 4QB "1h G& SjXj*Xs 51II455s"B==CC