diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-11-27 12:17:43 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-11-29 13:13:55 +0100 |
| commit | 32df84f04ba300020bbc232ed7119838ae31fea6 (patch) | |
| tree | 93d2ba907819174af2f2b6cd5cd01fbc8fb494f7 /ipalib/plugins | |
| parent | 2d86d7d85a67e47280828b749511d22050b58fa2 (diff) | |
| download | freeipa-32df84f04ba300020bbc232ed7119838ae31fea6.tar.gz freeipa-32df84f04ba300020bbc232ed7119838ae31fea6.tar.xz freeipa-32df84f04ba300020bbc232ed7119838ae31fea6.zip | |
subdomains: Use AD admin credentials when trust is being established
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
Diffstat (limited to 'ipalib/plugins')
| -rw-r--r-- | ipalib/plugins/trust.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5ba090503..3b1b2fc67 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1231,10 +1231,17 @@ api.register(trustdomain_del) def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None - password = options.get('realm_password', None) + password = options.get('realm_passwd', None) if password: - creds = u"%s%%%s" % (options.get('realm_admin'), password) - domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) + admin_name = options.get('realm_admin') + sp = admin_name.split('\\') + if len(sp) == 1: + sp.insert(0, trustinstance.remote_domain.info['name']) + creds = u"{name}%{password}".format(name="\\".join(sp), + password=password) + domains = ipaserver.dcerpc.fetch_domains(self.api, + trustinstance.local_flatname, + trust_name, creds=creds) result = [] if not domains: return None |