areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch

9991ea
From f06e746602f34a1c60580fe3bbb105a8a1cab8a2 Mon Sep 17 00:00:00 2001
9991ea
From: Alexander Bokovoy <abokovoy@redhat.com>
9991ea
Date: Wed, 12 Mar 2014 19:01:00 +0200
9991ea
Subject: [PATCH 60/60] trust: do not fetch subdomains in case shared secret
9991ea
 was used to set up the trust
9991ea
9991ea
Until incoming trust is validated from AD side, we cannot run any operations
9991ea
against AD using the trust. Also, Samba currently does not suport verifying
9991ea
trust against the other party (returns WERR_NOT_SUPPORTED).
9991ea
9991ea
This needs to be added to the documentation:
9991ea
9991ea
   When using 'ipa trust-add ad.domain --trust-secret', one has to manually
9991ea
   validate incoming trust using forest trust properties in AD Domains and
9991ea
   Trusts tool.
9991ea
9991ea
   Once incoming trust is validated at AD side, use IPA command
9991ea
   'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
9991ea
   From this point on the trust should be usable.
9991ea
9991ea
https://fedorahosted.org/freeipa/ticket/4246
9991ea
9991ea
Reviewed-By: Martin Kosek <mkosek@redhat.com>
9991ea
---
9991ea
 ipalib/plugins/trust.py | 3 ++-
9991ea
 1 file changed, 2 insertions(+), 1 deletion(-)
9991ea
9991ea
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
9991ea
index f2b00a6f58f5890e37aaa033a35dcf9bc39ccbc4..fe2795cad86e173a150f35db6301119930463a10 100644
9991ea
--- a/ipalib/plugins/trust.py
9991ea
+++ b/ipalib/plugins/trust.py
9991ea
@@ -462,7 +462,8 @@ def execute(self, *keys, **options):
9991ea
         # for AD trusts, regardless of the type of idranges associated with it
9991ea
         # Note that fetch_domains_from_trust will add needed ranges for
9991ea
         # the algorithmic ID mapping case.
9991ea
-        if options.get('trust_type') == u'ad':
9991ea
+        if (options.get('trust_type') == u'ad' and
9991ea
+            options.get('trust_secret') is None):
9991ea
             domains = fetch_domains_from_trust(self, self.trustinstance,
9991ea
                                                result['result'], **options)
9991ea
 
9991ea
-- 
9991ea
1.8.5.3
9991ea