summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2013-09-05 08:13:53 +0300
committerPetr Viktorin <pviktori@redhat.com>2013-09-20 09:59:02 +0200
commit9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95 (patch)
tree0e0f505cf3167b7a675d0b39e327e73ebae84f29 /ipaserver
parent316a9c215982527814089dc02be95fe14e635006 (diff)
downloadfreeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.tar.gz
freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.tar.xz
freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.zip
ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set encryption types associated with the trust. This operation fails due to ipa-sam attempting to modify object classes in trust object entry which is not allowed by ACI. Additionally, wrong handle was used by dcerpc.py code when executing SetInformationTrustedDomain() against IPA smbd which prevented even to reach the point where ipa-sam would be asked to modify the trust object.
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/dcerpc.py9
1 files changed, 9 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index a27a64d2f..bd8f5aadb 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -912,12 +912,21 @@ class TrustDomainInstance(object):
raise assess_dcerpc_exception(num=num, message=message)
try:
+ # We should use proper trustdom handle in order to modify the
+ # trust settings. Samba insists this has to be done with LSA
+ # OpenTrustedDomain* calls, it is not enough to have a handle
+ # returned by the CreateTrustedDomainEx2 call.
+ trustdom_handle = self._pipe.OpenTrustedDomainByName(self._policy_handle, dname, security.SEC_FLAG_MAXIMUM_ALLOWED)
infoclass = lsa.TrustDomainInfoSupportedEncTypes()
infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass)
except RuntimeError, e:
+ # We can ignore the error here -- changing enctypes is for
+ # improved security but the trust will work with default values as
+ # well. In particular, the call may fail against Windows 2003
+ # server as that one doesn't support AES encryption types
pass
def verify_trust(self, another_domain):