ipaserver/dcerpc.py: Make sure trust is established only to forest root domain

Part of https://fedorahosted.org/freeipa/ticket/4463

Reviewed-By: Sumit Bose <sbose@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 51b314f94..3944b19e0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1151,6 +1151,9 @@ class TrustDomainJoins(object):
                 realm_passwd
             )
 
+        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
+            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
+
         if not self.remote_domain.read_only:
             trustdom_pass = samba.generate_random_password(128, 128)
             self.get_realmdomains()
@@ -1167,5 +1170,8 @@ class TrustDomainJoins(object):
         if not(isinstance(self.remote_domain, TrustDomainInstance)):
             self.populate_remote_domain(realm, realm_server, realm_passwd=None)
 
+        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
+            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
+
         self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
         return dict(local=self.local_domain, remote=self.remote_domain, verified=False)