|
 |
403b09 |
From 1db0d09a59c6fbfdfd080f9f78f5a5d9b61e2c19 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
403b09 |
Date: Tue, 13 Sep 2016 15:59:40 +0200
|
|
|
403b09 |
Subject: [PATCH] trust-fetch-domains: contact forest DCs when fetching trust
|
|
|
403b09 |
domain info
|
|
|
403b09 |
|
|
|
403b09 |
The code should always contact forest root DCs when requesting trust domain
|
|
|
403b09 |
info. In the case of one-way or external trusts
|
|
|
403b09 |
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
|
|
|
403b09 |
root domain is contacted directly through Samba using the credentials of HTTP
|
|
|
403b09 |
principal.
|
|
|
403b09 |
|
|
|
403b09 |
https://fedorahosted.org/freeipa/ticket/6328
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipaserver/plugins/trust.py | 14 +++++++++++---
|
|
|
403b09 |
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
|
|
|
403b09 |
index b3cb56c14496c0d56d3f3fedddee8d123f929344..720a45a4d12d59f00e3e63f2b4f62edd45646065 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/trust.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/trust.py
|
|
|
403b09 |
@@ -1739,15 +1739,20 @@ class trust_fetch_domains(LDAPRetrieve):
|
|
|
403b09 |
ldap = self.api.Backend.ldap2
|
|
|
403b09 |
verify_samba_component_presence(ldap, self.api)
|
|
|
403b09 |
|
|
|
403b09 |
- trust = self.api.Command.trust_show(keys[0], raw=True)['result']
|
|
|
403b09 |
+ trust = self.api.Command.trust_show(
|
|
|
403b09 |
+ keys[0], all=True, raw=True)['result']
|
|
|
403b09 |
|
|
|
403b09 |
result = dict()
|
|
|
403b09 |
result['result'] = []
|
|
|
403b09 |
result['count'] = 0
|
|
|
403b09 |
result['truncated'] = False
|
|
|
403b09 |
|
|
|
403b09 |
- # For one-way trust fetch over DBus. we don't get the list in this case.
|
|
|
403b09 |
- if int(trust['ipanttrustdirection'][0]) != TRUST_BIDIRECTIONAL:
|
|
|
403b09 |
+ trust_direction = int(trust['ipanttrustdirection'][0])
|
|
|
403b09 |
+ is_nontransitive = int(trust.get('ipanttrustattributes',
|
|
|
403b09 |
+ [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
|
|
|
403b09 |
+ # For one-way trust and external trust fetch over DBus.
|
|
|
403b09 |
+ # We don't get the list in this case.
|
|
|
403b09 |
+ if trust_direction != TRUST_BIDIRECTIONAL or is_nontransitive:
|
|
|
403b09 |
fetch_trusted_domains_over_dbus(self.api, self.log, keys[0])
|
|
|
403b09 |
result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.'))
|
|
|
403b09 |
return result
|
|
|
403b09 |
@@ -1762,6 +1767,9 @@ class trust_fetch_domains(LDAPRetrieve):
|
|
|
403b09 |
'on the IPA server first'
|
|
|
403b09 |
)
|
|
|
403b09 |
)
|
|
|
403b09 |
+
|
|
|
403b09 |
+ trustinstance.populate_remote_domain(keys[0])
|
|
|
403b09 |
+
|
|
|
403b09 |
res = fetch_domains_from_trust(self.api, trustinstance, **options)
|
|
|
403b09 |
domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options)
|
|
|
403b09 |
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|