diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-07-06 14:46:24 +0000 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-07-08 01:56:52 +0200 |
| commit | 2dd5b46d257eb03188fcfb21997e9348bc0e3f4d (patch) | |
| tree | e95ce08123cc28ff2369d50c8ad090289456f7a5 /install | |
| parent | 5025204175fad221a74befa7dc52087fcd0751c6 (diff) | |
| download | freeipa-2dd5b46d257eb03188fcfb21997e9348bc0e3f4d.tar.gz freeipa-2dd5b46d257eb03188fcfb21997e9348bc0e3f4d.tar.xz freeipa-2dd5b46d257eb03188fcfb21997e9348bc0e3f4d.zip | |
trust: support retrieving POSIX IDs with one-way trust during trust-add
With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.
Fixes:
https://fedorahosted.org/freeipa/ticket/4960
https://fedorahosted.org/freeipa/ticket/4959
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'install')
| -rwxr-xr-x | install/oddjob/com.redhat.idm.trust-fetch-domains | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index 2571dd09a..85e3cc993 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -186,7 +186,9 @@ if domains: if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - trust.add_range(range_name, dom['ipanttrusteddomainsid'], + # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range + # to force it using existing credentials cache + trust.add_range(None, range_name, dom['ipanttrusteddomainsid'], trusted_domain, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries |