Add separate attribute to store trusted domain SID

We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191

1 files changed, 5 insertions, 1 deletions

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e052acf5e..03758dfcb 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -992,8 +992,12 @@ class ReplicationManager(object):
         dn2 = DN(u'cn=ipa-ldap-delegation-targets', api.env.container_s4u2proxy, self.suffix)
         member_principal2 = "ldap/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
 
+        dn3 = DN(u'cn=ipa-cifs-delegation-targets', api.env.container_s4u2proxy, self.suffix)
+        member_principal3 = "cifs/%(fqdn)s@%(realm)s" % dict(fqdn=replica, realm=realm)
+
         for (dn, member_principal) in ((str(dn1), member_principal1),
-                                       (str(dn2), member_principal2)):
+                                       (str(dn2), member_principal2),
+                                       (str(dn3), member_principal3)):
             try:
                 mod = [(ldap.MOD_DELETE, 'memberPrincipal', member_principal)]
                 self.conn.modify_s(dn, mod)