From 90227f817eb27d0d4308b22f8dcf028dc2925689 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Aug 2014 16:24:27 +0300
Subject: ipaserver/dcerpc.py: Make sure trust is established only to forest
 root domain

Part of https://fedorahosted.org/freeipa/ticket/4463

Reviewed-By: Sumit Bose <sbose@redhat.com>
---
 ipaserver/dcerpc.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'ipaserver')

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 51b314f94..3944b19e0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1151,6 +1151,9 @@ class TrustDomainJoins(object):
                 realm_passwd
             )
 
+        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
+            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
+
         if not self.remote_domain.read_only:
             trustdom_pass = samba.generate_random_password(128, 128)
             self.get_realmdomains()
@@ -1167,5 +1170,8 @@ class TrustDomainJoins(object):
         if not(isinstance(self.remote_domain, TrustDomainInstance)):
             self.populate_remote_domain(realm, realm_server, realm_passwd=None)
 
+        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
+            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
+
         self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
         return dict(local=self.local_domain, remote=self.remote_domain, verified=False)
-- 
cgit