path: root/ipaserver/
diff options
authorAlexander Bokovoy <>2012-07-16 13:12:42 +0300
committerAlexander Bokovoy <>2012-07-18 16:55:57 +0300
commitdadfbf9d153bcf8f7ce659981698ffa2292b3967 (patch)
tree8731760a4a4ef25aeeb1810431cac18611807bd5 /ipaserver/
parent2d75d8cc055887f354db947aac1d33e961e9c80c (diff)
Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form: Administrator, DOM\Administrator, Administrator@DOMAIN This patch introduces handling of the second two forms: - In DOM\Administrator only user name is used, short domain name is then taken from a discovered record from the AD DC - In Administrator@DOMAIN first DOMAIN is verified to be the same as the domain we are establishing trust to, and then user name is taken, together with short domain name taken from a discovered record from the AD DC Note that we do not support using to-be-trusted domain's trusted domains' accounts to establish trust as there is basically zero chance to verify that things will work with them. In addition, in order to establish trust one needs to belong to Enterprise Admins group in AD or have specially delegated permissions. These permissions are unlikely delegated to the ones in already trusted domain.
Diffstat (limited to 'ipaserver/')
1 files changed, 5 insertions, 0 deletions
diff --git a/ipaserver/ b/ipaserver/
index 07e40c2d3..6b830f65b 100644
--- a/ipaserver/
+++ b/ipaserver/
@@ -363,6 +363,11 @@ class TrustDomainJoins(object):
rd.read_only = True
if realm_admin and realm_passwd:
if 'name' in
+ names = realm_admin.split('\\')
+ if len(names) > 1:
+ # realm admin is in DOMAIN\user format
+ # strip DOMAIN part as we'll enforce the one discovered
+ realm_admin = names[-1]
auth_string = u"%s\%s%%%s" % (['name'], realm_admin, realm_passwd)
td = get_instance(self)