|
 |
403b09 |
From c8f3d08c4b90bf89dd4c180d14ced95c14692ff7 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
403b09 |
Date: Wed, 31 Aug 2016 13:59:14 +0200
|
|
|
403b09 |
Subject: [PATCH] do not use trusted forest name to construct domain admin
|
|
|
403b09 |
principal
|
|
|
403b09 |
|
|
|
403b09 |
When `trust-add` is supplied AD domain admin name without realm component, the
|
|
|
403b09 |
code appends the uppercased AD forest root domain name to construct the full
|
|
|
403b09 |
principal. This can cause authentication error, however, when external trust
|
|
|
403b09 |
with non-root domain is requested.
|
|
|
403b09 |
|
|
|
403b09 |
We should instead use the supplied DNS domain name (if valid) as a realm
|
|
|
403b09 |
component.
|
|
|
403b09 |
|
|
|
403b09 |
https://fedorahosted.org/freeipa/ticket/6277
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipaserver/plugins/trust.py | 2 +-
|
|
|
403b09 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
|
|
|
403b09 |
index b9d9b122a90de62946307b99b44932129eb611e8..8ed96c253e7c7862f60ad668aa6c252038274624 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/trust.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/trust.py
|
|
|
403b09 |
@@ -319,7 +319,7 @@ def generate_creds(trustinstance, style, **options):
|
|
|
403b09 |
else:
|
|
|
403b09 |
sp = admin_name.split(sep)
|
|
|
403b09 |
if len(sp) == 1:
|
|
|
403b09 |
- sp.append(trustinstance.remote_domain.info['dns_forest'].upper())
|
|
|
403b09 |
+ sp.append(trustinstance.remote_domain.info['dns_domain'].upper())
|
|
|
403b09 |
creds = u"{name}%{password}".format(name=sep.join(sp),
|
|
|
403b09 |
password=password)
|
|
|
403b09 |
return creds
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|