diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-08-19 16:22:54 +0300 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-01 08:42:52 +0200 |
commit | 1fd3a238848bd2aa7bd946d3148637a5abbf7891 (patch) | |
tree | b7d70c67fccf537edd0411237a8b5d2edca1008e | |
parent | 23e0bc411eb213fbdfe2e5436d82afe6fcbf0989 (diff) | |
download | freeipa-1fd3a238848bd2aa7bd946d3148637a5abbf7891.tar.gz freeipa-1fd3a238848bd2aa7bd946d3148637a5abbf7891.tar.xz freeipa-1fd3a238848bd2aa7bd946d3148637a5abbf7891.zip |
ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83
Reviewed-By: Sumit Bose <sbose@redhat.com>
-rw-r--r-- | ipaserver/dcerpc.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 495c380b0..4abc42f38 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -901,7 +901,7 @@ class TrustDomainInstance(object): info.sid = security.dom_sid(another_domain.info['sid']) info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL - info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + info.trust_attributes = 0 try: dname = lsa.String() @@ -918,8 +918,6 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) - self.update_ftinfo(another_domain) - # We should use proper trustdom handle in order to modify the # trust settings. Samba insists this has to be done with LSA # OpenTrustedDomain* calls, it is not enough to have a handle @@ -938,6 +936,15 @@ class TrustDomainInstance(object): # server as that one doesn't support AES encryption types pass + try: + info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) + except RuntimeError, e: + root_logger.error('unable to set trust to transitive: %s' % (str(e))) + pass + if self.info['is_pdc']: + self.update_ftinfo(another_domain) + def verify_trust(self, another_domain): def retrieve_netlogon_info_2(domain, function_code, data): try: |