diff options
-rw-r--r-- | ipalib/plugins/trust.py | 13 | ||||
-rw-r--r-- | ipaserver/dcerpc.py | 42 |
2 files changed, 38 insertions, 17 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5ba090503..3b1b2fc67 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1231,10 +1231,17 @@ api.register(trustdomain_del) def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None - password = options.get('realm_password', None) + password = options.get('realm_passwd', None) if password: - creds = u"%s%%%s" % (options.get('realm_admin'), password) - domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) + admin_name = options.get('realm_admin') + sp = admin_name.split('\\') + if len(sp) == 1: + sp.insert(0, trustinstance.remote_domain.info['name']) + creds = u"{name}%{password}".format(name="\\".join(sp), + password=password) + domains = ipaserver.dcerpc.fetch_domains(self.api, + trustinstance.local_flatname, + trust_name, creds=creds) result = [] if not domains: return None diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 0dde3473b..d809c416b 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -655,7 +655,7 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) - def __init_lsa_pipe(self, remote_host): + def init_lsa_pipe(self, remote_host): """ Try to initialize connection to the LSA pipe at remote host. This method tries consequently all possible transport options @@ -692,7 +692,7 @@ class TrustDomainInstance(object): """ There are multiple transports to issue LSA calls. However, depending on a system in use they may be blocked by local operating system policies. - Generate all we can use. __init_lsa_pipe() will try them one by one until + Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. @@ -753,7 +753,7 @@ class TrustDomainInstance(object): return naming_ref.match(context).group(1) def retrieve(self, remote_host): - self.__init_lsa_pipe(remote_host) + self.init_lsa_pipe(remote_host) objectAttribute = lsa.ObjectAttribute() objectAttribute.sec_qos = lsa.QosInfo() @@ -964,34 +964,48 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) def communicate(td): - td.creds.guess(td.parm) - netrc = net.Net(creds=td.creds, lp=td.parm) - try: - result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) - except RuntimeError, e: - raise assess_dcerpc_exception(message=str(e)) - if not result: - return None - td.retrieve(unicode(result.pdc_dns_name)) - + td.init_lsa_pipe(td.info['dc']) netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) return domains domains = None + domain_validator = DomainValidator(api) + configured = domain_validator.is_configured() + if not configured: + return None + td = TrustDomainInstance('') td.parm.set('workgroup', mydomain) - td.creds = credentials.Credentials() + cr = credentials.Credentials() + cr.set_kerberos_state(credentials.DONT_USE_KERBEROS) + cr.guess(td.parm) + cr.set_anonymous() + cr.set_workstation(domain_validator.flatname) + netrc = net.Net(creds=cr, lp=td.parm) + try: + result = netrc.finddc(domain=trustdomain, + flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) + except RuntimeError, e: + raise assess_dcerpc_exception(message=str(e)) + + td.info['dc'] = unicode(result.pdc_dns_name) if creds is None: domval = DomainValidator(api) (ccache_name, principal) = domval.kinit_as_http(trustdomain) + td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) if ccache_name: with installutils.private_ccache(path=ccache_name): + td.creds.guess(td.parm) + td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) else: + td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) + td.creds.guess(td.parm) td.creds.parse_string(creds) + td.creds.set_workstation(domain_validator.flatname) domains = communicate(td) if domains is None: |