ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012

http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83

Reviewed-By: Sumit Bose <sbose@redhat.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 495c380b0..4abc42f38 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -901,7 +901,7 @@ class TrustDomainInstance(object):
         info.sid = security.dom_sid(another_domain.info['sid'])
         info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
         info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
-        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+        info.trust_attributes = 0
 
         try:
             dname = lsa.String()
@@ -918,8 +918,6 @@ class TrustDomainInstance(object):
         except RuntimeError, (num, message):
             raise assess_dcerpc_exception(num=num, message=message)
 
-        self.update_ftinfo(another_domain)
-
         # We should use proper trustdom handle in order to modify the
         # trust settings. Samba insists this has to be done with LSA
         # OpenTrustedDomain* calls, it is not enough to have a handle
@@ -938,6 +936,15 @@ class TrustDomainInstance(object):
             # server as that one doesn't support AES encryption types
             pass
 
+        try:
+            info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+            self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info)
+        except RuntimeError, e:
+            root_logger.error('unable to set trust to transitive: %s' % (str(e)))
+            pass
+        if self.info['is_pdc']:
+            self.update_ftinfo(another_domain)
+
     def verify_trust(self, another_domain):
         def retrieve_netlogon_info_2(domain, function_code, data):
             try: