From 52e2ec266a293891819682487e37644ffcf11e4a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 6 Jul 2015 14:46:24 +0000
Subject: trust: support retrieving POSIX IDs with one-way trust during
 trust-add

With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.

Fixes:
 https://fedorahosted.org/freeipa/ticket/4960
 https://fedorahosted.org/freeipa/ticket/4959
---
 install/oddjob/com.redhat.idm.trust-fetch-domains | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'install/oddjob/com.redhat.idm.trust-fetch-domains')

diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index 2571dd09a..85e3cc993 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -186,7 +186,9 @@ if domains:
             if idrange_type != u'ipa-ad-trust-posix':
                 range_name = name.upper() + '_id_range'
                 dom['range_type'] = u'ipa-ad-trust'
-                trust.add_range(range_name, dom['ipanttrusteddomainsid'],
+                # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range
+                # to force it using existing credentials cache
+                trust.add_range(None, range_name, dom['ipanttrusteddomainsid'],
                                 trusted_domain, name, **dom)
         except errors.DuplicateEntry:
             # Ignore updating duplicate entries
-- 
cgit