diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-08-15 18:32:25 +0300 |
|---|---|---|
| committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-08-22 13:38:18 +0200 |
| commit | 9b3819ea94d3fd8e866d38ccba2051446d057ecd (patch) | |
| tree | 4225dec0cf7f7237f682f226f759a745d10ebd87 /ipaserver/plugins | |
| parent | 6332cb3125a42c1bf2680309b5480155e40d3d87 (diff) | |
| download | freeipa-9b3819ea94d3fd8e866d38ccba2051446d057ecd.tar.gz freeipa-9b3819ea94d3fd8e866d38ccba2051446d057ecd.tar.xz freeipa-9b3819ea94d3fd8e866d38ccba2051446d057ecd.zip | |
trust: make sure external trust topology is correctly rendered
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.
Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.
Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.
https://fedorahosted.org/freeipa/ticket/6021
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipaserver/plugins')
| -rw-r--r-- | ipaserver/plugins/trust.py | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index f2e0b1ee4..8a25b560f 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1663,6 +1663,23 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt for x, y in six.iteritems(domains['suffixes']) if x not in domains['domains']) + try: + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') + ldap = myapi.Backend.ldap2 + entry = ldap.get_entry(dn) + tlns = entry.get('ipantadditionalsuffixes', []) + tlns.extend(x for x in suffixes if x not in tlns) + entry['ipantadditionalsuffixes'] = tlns + ldap.update_entry(entry) + except errors.EmptyModlist: + pass + + is_nontransitive = int(trust_entry.get('ipanttrustattributes', + [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE + + if is_nontransitive: + return result + for dom in six.itervalues(domains['domains']): dom['trust_type'] = u'ad' try: @@ -1686,17 +1703,6 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt # Ignore updating duplicate entries pass - try: - dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') - ldap = myapi.Backend.ldap2 - entry = ldap.get_entry(dn) - tlns = entry.get('ipantadditionalsuffixes', []) - tlns.extend(x for x in suffixes if x not in tlns) - entry['ipantadditionalsuffixes'] = tlns - ldap.update_entry(entry) - except errors.EmptyModlist: - pass - return result |