trusts: Detect domain clash with IPA domain when adding a AD trust

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 35e75d8ed..4302c3ac3 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -670,6 +670,14 @@ sides.
                 error=_('only "ad" is supported')
             )
 
+        # Detect IPA-AD domain clash
+        if self.api.env.domain.lower() == trusted_realm_domain.lower():
+            raise errors.ValidationError(
+                name=_('domain'),
+                error=_('Cannot establish a trust to AD deployed in the same '
+                        'domain as IPA. Such setup is not supported.')
+                )
+
         # If domain name and realm does not match, IPA server is not be able
         # to establish trust with Active Directory.