Do not add trust to AD in case of IPA realm-domain mismatch

Make sure that trust-add command fails when admin attempts
to add an Active Directory trust when the realm name and
the domain name of the IPA server do not match.

https://fedorahosted.org/freeipa/ticket/3923

1 files changed, 13 insertions, 0 deletions

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 3c117b49b..3d0502990 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -360,6 +360,19 @@ sides.
                 error=_('only "ad" is supported')
             )
 
+        # If domain name and realm does not match, IPA server is not be able
+        # to estabilish trust with Active Directory.
+
+        realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
+
+        if options['trust_type'] == u'ad' and realm_not_matching_domain:
+            raise errors.ValidationError(
+                name=_('Realm-domain mismatch'),
+                error=_('To estabilish trust with Active Directory, the '
+                        'domain name and the realm name of the IPA server '
+                        'must match')
+                )
+
         self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
         if not self.trustinstance.configured:
             raise errors.NotFound(