diff options
-rw-r--r-- | ipalib/plugins/trust.py | 8 | ||||
-rw-r--r-- | ipaserver/dcerpc.py | 5 |
2 files changed, 13 insertions, 0 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 2932835e0..792e6cac2 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -180,6 +180,14 @@ class trust_add(LDAPCreate): # generate random trustdom password to do work on both sides if 'realm_admin' in options: realm_admin = options['realm_admin'] + names = realm_admin.split('@') + if len(names) > 1: + # realm admin name is in UPN format, user@realm, check that + # realm is the same as the one that we are attempting to trust + if keys[-1].lower() != names[-1].lower(): + raise errors.ValidationError(name=_('AD Trust setup'), + error=_('Trusted domain and administrator account use different realms')) + realm_admin = names[0] if 'realm_passwd' not in options: raise errors.ValidationError(name=_('AD Trust setup'), error=_('Realm administrator password should be specified')) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 07e40c2d3..6b830f65b 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -363,6 +363,11 @@ class TrustDomainJoins(object): rd.read_only = True if realm_admin and realm_passwd: if 'name' in rd.info: + names = realm_admin.split('\\') + if len(names) > 1: + # realm admin is in DOMAIN\user format + # strip DOMAIN part as we'll enforce the one discovered + realm_admin = names[-1] auth_string = u"%s\%s%%%s" % (rd.info['name'], realm_admin, realm_passwd) td = get_instance(self) td.creds.parse_string(auth_string) |