diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2016-08-31 13:59:14 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-08-31 15:07:09 +0200 |
| commit | f32e0e4e522e09390f4295dd79f52d7a48877d3a (patch) | |
| tree | 30a4d96c4cb41cbff56bd37b1fa7ab6196448669 | |
| parent | 60e88038c43c2ea2afc7e48f3e8dbd9bcfe955e8 (diff) | |
| download | freeipa-f32e0e4e522e09390f4295dd79f52d7a48877d3a.tar.gz freeipa-f32e0e4e522e09390f4295dd79f52d7a48877d3a.tar.xz freeipa-f32e0e4e522e09390f4295dd79f52d7a48877d3a.zip | |
do not use trusted forest name to construct domain admin principal
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | ipaserver/plugins/trust.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 26f85c26f..65dc1f45a 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -319,7 +319,7 @@ def generate_creds(trustinstance, style, **options): else: sp = admin_name.split(sep) if len(sp) == 1: - sp.append(trustinstance.remote_domain.info['dns_forest'].upper()) + sp.append(trustinstance.remote_domain.info['dns_domain'].upper()) creds = u"{name}%{password}".format(name=sep.join(sp), password=password) return creds |