trusts: format Kerberos principal properly when fetching trust topology

For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.

For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.

Part of trust refactoring series.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Fixes: https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5d04a2a8e..4e4e0b162 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1487,7 +1487,12 @@ class trustdomain_del(LDAPDelete):
 
 def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
     trust_name = trust_entry['cn'][0]
-    creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options)
+    # We want to use Kerberos if we have admin credentials even with SMB calls
+    # as eventually use of NTLMSSP will be deprecated for trusted domain operations
+    # If admin credentials are missing, 'creds' will be None and fetch_domains
+    # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
+    # as well.
+    creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
     server = options.get('realm_server', None)
     domains = ipaserver.dcerpc.fetch_domains(myapi,
                                              trustinstance.local_flatname,