From d228b1bd70aeebb19fbf64ee64bbd662eda19fc4 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 3 Oct 2013 12:30:44 +0200 Subject: ipa-kdb: Handle parent-child relationship for subdomains When MS-PAC information is re-initialized, record also parent-child relationship between trust root level domain and its subdomains. Use parent incoming SID black list to check if child domain is not allowed to access IPA realm. We also should really use 'cn' of the entry as domain name. ipaNTTrustPartner has different meaning on wire, it is an index pointing to the parent domain of the domain and will be 0 for top level domains or disjoint subdomains of the trust. Finally, trustdomain-enable and trustdomain-disable commands should force MS-PAC cache re-initalization in case of black list change. Trigger that by asking for cross-realm TGT for HTTP service. --- ipalib/plugins/trust.py | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'ipalib/plugins') diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f5cb1e75..f412c618 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1286,6 +1286,9 @@ class trustdomain_enable(LDAPQuery): if sid in trust_entry['ipantsidblacklistincoming']: trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) + # Force MS-PAC cache re-initialization on KDC side + domval = ipaserver.dcerpc.DomainValidator(api) + (ccache_name, principal) = domval.kinit_as_http(keys[0]) else: raise errors.AlreadyActive() except errors.NotFound: @@ -1323,6 +1326,9 @@ class trustdomain_disable(LDAPQuery): if not (sid in trust_entry['ipantsidblacklistincoming']): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) + # Force MS-PAC cache re-initialization on KDC side + domval = ipaserver.dcerpc.DomainValidator(api) + (ccache_name, principal) = domval.kinit_as_http(keys[0]) else: raise errors.AlreadyInactive() except errors.NotFound: -- cgit