ipa-kdb: Handle parent-child relationship for subdomains

When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.

1 files changed, 6 insertions, 0 deletions

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index f5cb1e756..f412c6185 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1286,6 +1286,9 @@ class trustdomain_enable(LDAPQuery):
             if sid in trust_entry['ipantsidblacklistincoming']:
                 trust_entry['ipantsidblacklistincoming'].remove(sid)
                 ldap.update_entry(trust_entry)
+                # Force MS-PAC cache re-initialization on KDC side
+                domval = ipaserver.dcerpc.DomainValidator(api)
+                (ccache_name, principal) = domval.kinit_as_http(keys[0])
             else:
                 raise errors.AlreadyActive()
         except errors.NotFound:
@@ -1323,6 +1326,9 @@ class trustdomain_disable(LDAPQuery):
             if not (sid in trust_entry['ipantsidblacklistincoming']):
                 trust_entry['ipantsidblacklistincoming'].append(sid)
                 ldap.update_entry(trust_entry)
+                # Force MS-PAC cache re-initialization on KDC side
+                domval = ipaserver.dcerpc.DomainValidator(api)
+                (ccache_name, principal) = domval.kinit_as_http(keys[0])
             else:
                 raise errors.AlreadyInactive()
         except errors.NotFound: