From 9ab2eb21141aa23ef5a28b497bf8241db7565788 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 17 Aug 2023 01:05:54 +0300
Subject: [PATCH] gp: Support more global trust directories

In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).

To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.

In case none is found, fallback to the first option which will produce a
warning as it did previously.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f)
---
 python/samba/gp/gp_cert_auto_enroll_ext.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 312c8ddf467..1b90ab46e90 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -45,10 +45,12 @@ cert_wrap = b"""
 -----BEGIN CERTIFICATE-----
 %s
 -----END CERTIFICATE-----"""
-global_trust_dir = '/etc/pki/trust/anchors'
 endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
               '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
 
+global_trust_dirs = ['/etc/pki/trust/anchors',           # SUSE
+                     '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora
+                     '/usr/local/share/ca-certificates'] # Debian/Ubuntu
 
 def octet_string_to_objectGUID(data):
     """Convert an octet string to an objectGUID."""
@@ -249,12 +251,20 @@ def getca(ca, url, trust_dir):
     return root_certs
 
 
+def find_global_trust_dir():
+    """Return the global trust dir using known paths from various Linux distros."""
+    for trust_dir in global_trust_dirs:
+        if os.path.isdir(trust_dir):
+            return trust_dir
+    return global_trust_dirs[0]
+
 def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     """Install the root certificate chain."""
     data = dict({'files': [], 'templates': []}, **ca)
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
     root_certs = getca(ca, url, trust_dir)
     data['files'].extend(root_certs)
+    global_trust_dir = find_global_trust_dir()
     for src in root_certs:
         # Symlink the certs to global trust dir
         dst = os.path.join(global_trust_dir, os.path.basename(src))
-- 
2.34.1