summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2013-11-27 12:17:43 +0200
committerMartin Kosek <mkosek@redhat.com>2013-11-29 13:13:55 +0100
commit32df84f04ba300020bbc232ed7119838ae31fea6 (patch)
tree93d2ba907819174af2f2b6cd5cd01fbc8fb494f7 /ipalib/plugins
parent2d86d7d85a67e47280828b749511d22050b58fa2 (diff)
downloadfreeipa-32df84f04ba300020bbc232ed7119838ae31fea6.tar.gz
freeipa-32df84f04ba300020bbc232ed7119838ae31fea6.tar.xz
freeipa-32df84f04ba300020bbc232ed7119838ae31fea6.zip
subdomains: Use AD admin credentials when trust is being established
When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to force NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046
Diffstat (limited to 'ipalib/plugins')
-rw-r--r--ipalib/plugins/trust.py13
1 files changed, 10 insertions, 3 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5ba090503..3b1b2fc67 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1231,10 +1231,17 @@ api.register(trustdomain_del)
def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
trust_name = trust_entry['cn'][0]
creds = None
- password = options.get('realm_password', None)
+ password = options.get('realm_passwd', None)
if password:
- creds = u"%s%%%s" % (options.get('realm_admin'), password)
- domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds)
+ admin_name = options.get('realm_admin')
+ sp = admin_name.split('\\')
+ if len(sp) == 1:
+ sp.insert(0, trustinstance.remote_domain.info['name'])
+ creds = u"{name}%{password}".format(name="\\".join(sp),
+ password=password)
+ domains = ipaserver.dcerpc.fetch_domains(self.api,
+ trustinstance.local_flatname,
+ trust_name, creds=creds)
result = []
if not domains:
return None