From f32e0e4e522e09390f4295dd79f52d7a48877d3a Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 31 Aug 2016 13:59:14 +0200
Subject: do not use trusted forest name to construct domain admin principal

When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/trust.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 26f85c26f..65dc1f45a 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -319,7 +319,7 @@ def generate_creds(trustinstance, style, **options):
             else:
                sp = admin_name.split(sep)
             if len(sp) == 1:
-                sp.append(trustinstance.remote_domain.info['dns_forest'].upper())
+                sp.append(trustinstance.remote_domain.info['dns_domain'].upper())
         creds = u"{name}%{password}".format(name=sep.join(sp),
                                             password=password)
     return creds
-- 
cgit