diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-09-01 18:14:22 +0200 |
---|---|---|
committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-09-05 09:20:55 +0200 |
commit | 4ca671788cc54a00de6a55a2529df6126da14d88 (patch) | |
tree | 9ca41d1c4e1632306637704d2b361aa9f57136f3 /install/oddjob | |
parent | c789b17b2e28ed9008fee076a0db72fe90f7e93f (diff) | |
download | freeipa-4ca671788cc54a00de6a55a2529df6126da14d88.tar.gz freeipa-4ca671788cc54a00de6a55a2529df6126da14d88.tar.xz freeipa-4ca671788cc54a00de6a55a2529df6126da14d88.zip |
Always fetch forest info from root DCs when establishing one-way trust
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to
the root domain DCs to resolve trust topology information.
This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
helper used to establish one-way needs to explicitly contact root domain DCs
even in the case when an external trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'install/oddjob')
-rwxr-xr-x | install/oddjob/com.redhat.idm.trust-fetch-domains | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index bffa021cd..32406ac92 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -40,6 +40,24 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal): pass +def get_forest_root_domain(api_instance, trusted_domain): + """ + retrieve trusted forest root domain for given domain name + + :param api_instance: IPA API instance + :param trusted_domain: trusted domain name + + :returns: forest root domain DNS name + """ + trustconfig_show = api_instance.Command.trustconfig_show + flatname = trustconfig_show()['result']['ipantflatname'][0] + + remote_domain = dcerpc.retrieve_remote_domain( + api_instance.env.host, flatname, trusted_domain) + + return remote_domain.info['dns_forest'] + + def parse_options(): usage = "%prog <trusted domain name>\n" parser = config.IPAOptionParser(usage=usage, @@ -169,7 +187,12 @@ except gssapi.exceptions.GSSError: # We are done: we have ccache with TDO credentials and can fetch domains ipa_domain = api.env.domain os.environ['KRB5CCNAME'] = oneway_ccache_name -domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) + +# retrieve the forest root domain name and contact it to retrieve trust +# topology info +forest_root = get_forest_root_domain(api, trusted_domain) + +domains = dcerpc.fetch_domains(api, ipa_domain, forest_root, creds=True) trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result'] trust.add_new_domains_from_trust(api, None, trust_domain_object, domains) |