diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2013-09-05 08:13:53 +0300 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2013-09-20 09:59:02 +0200 |
| commit | 9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95 (patch) | |
| tree | 0e0f505cf3167b7a675d0b39e327e73ebae84f29 /ipaserver | |
| parent | 316a9c215982527814089dc02be95fe14e635006 (diff) | |
| download | freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.tar.gz freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.tar.xz freeipa-9cf8ec79c9e9d05ce9f21b4b187077e1fa650c95.zip | |
ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.
Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/dcerpc.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index a27a64d2f..bd8f5aadb 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -912,12 +912,21 @@ class TrustDomainInstance(object): raise assess_dcerpc_exception(num=num, message=message) try: + # We should use proper trustdom handle in order to modify the + # trust settings. Samba insists this has to be done with LSA + # OpenTrustedDomain* calls, it is not enough to have a handle + # returned by the CreateTrustedDomainEx2 call. + trustdom_handle = self._pipe.OpenTrustedDomainByName(self._policy_handle, dname, security.SEC_FLAG_MAXIMUM_ALLOWED) infoclass = lsa.TrustDomainInfoSupportedEncTypes() infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5 infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass) except RuntimeError, e: + # We can ignore the error here -- changing enctypes is for + # improved security but the trust will work with default values as + # well. In particular, the call may fail against Windows 2003 + # server as that one doesn't support AES encryption types pass def verify_trust(self, another_domain): |