The Identity, Policy and Audit system
CentOS Sources
2016-11-03 403b09ab980c02ef36095973349a13e0181c794a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
From 1db0d09a59c6fbfdfd080f9f78f5a5d9b61e2c19 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 13 Sep 2016 15:59:40 +0200
Subject: [PATCH] trust-fetch-domains: contact forest DCs when fetching trust
 domain info
 
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.
 
https://fedorahosted.org/freeipa/ticket/6328
 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/trust.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)
 
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index b3cb56c14496c0d56d3f3fedddee8d123f929344..720a45a4d12d59f00e3e63f2b4f62edd45646065 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1739,15 +1739,20 @@ class trust_fetch_domains(LDAPRetrieve):
         ldap = self.api.Backend.ldap2
         verify_samba_component_presence(ldap, self.api)
 
-        trust = self.api.Command.trust_show(keys[0], raw=True)['result']
+        trust = self.api.Command.trust_show(
+            keys[0], all=True, raw=True)['result']
 
         result = dict()
         result['result'] = []
         result['count'] = 0
         result['truncated'] = False
 
-        # For one-way trust fetch over DBus. we don't get the list in this case.
-        if int(trust['ipanttrustdirection'][0]) != TRUST_BIDIRECTIONAL:
+        trust_direction = int(trust['ipanttrustdirection'][0])
+        is_nontransitive = int(trust.get('ipanttrustattributes',
+                               [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
+        # For one-way trust and external trust fetch over DBus.
+        # We don't get the list in this case.
+        if trust_direction != TRUST_BIDIRECTIONAL or is_nontransitive:
             fetch_trusted_domains_over_dbus(self.api, self.log, keys[0])
             result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.'))
             return result
@@ -1762,6 +1767,9 @@ class trust_fetch_domains(LDAPRetrieve):
                     'on the IPA server first'
                 )
             )
+
+        trustinstance.populate_remote_domain(keys[0])
+
         res = fetch_domains_from_trust(self.api, trustinstance, **options)
         domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options)
 
-- 
2.7.4