diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-07-15 14:22:48 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-07-17 17:04:17 +0200 |
commit | 45958d62197296eabe5513ea392e204e1d49d5c6 (patch) | |
tree | a280c3f6a7d4f04df4254f77fd65676bbc20ee12 | |
parent | 82aaa1e6d07a13429381b94ffe4b5fc562427213 (diff) | |
download | freeipa-45958d62197296eabe5513ea392e204e1d49d5c6.tar.gz freeipa-45958d62197296eabe5513ea392e204e1d49d5c6.tar.xz freeipa-45958d62197296eabe5513ea392e204e1d49d5c6.zip |
trusts: Check for AD root domain among our trusted domains
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.
This prevents creation of a failing setup, as trusts would not work
properly in this case.
https://fedorahosted.org/freeipa/ticket/4799
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-rw-r--r-- | ipalib/plugins/trust.py | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index b2e18f5bc..faa8186ba 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -640,6 +640,8 @@ sides. self.params['realm_passwd'].label, confirm=False) def validate_options(self, *keys, **options): + trusted_realm_domain = keys[-1] + if not _bindings_installed: raise errors.NotFound( name=_('AD Trust setup'), @@ -692,6 +694,23 @@ sides. ) ) + # Obtain a list of IPA realm domains + result = self.api.Command.realmdomains_show()['result'] + realm_domains = result['associateddomain'] + + # Do not allow the AD's trusted realm domain in the list + # of our realm domains + if trusted_realm_domain.lower() in realm_domains: + raise errors.ValidationError( + name=_('AD Trust setup'), + error=_( + 'Trusted domain %(domain)s is included among ' + 'IPA realm domains. It needs to be removed ' + 'prior to establishing the trust. See the ' + '"ipa realmdomains-mod --del-domain" command.' + ) % dict(domain=trusted_realm_domain) + ) + self.realm_server = options.get('realm_server') self.realm_admin = options.get('realm_admin') self.realm_passwd = options.get('realm_passwd') @@ -702,7 +721,7 @@ sides. if len(names) > 1: # realm admin name is in UPN format, user@realm, check that # realm is the same as the one that we are attempting to trust - if keys[-1].lower() != names[-1].lower(): + if trusted_realm_domain.lower() != names[-1].lower(): raise errors.ValidationError( name=_('AD Trust setup'), error=_( |