From e9fdf223cdb39e685ad9c57a7348016917d5cba2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 20 Aug 2015 15:12:42 +0300
Subject: [PATCH] trusts: format Kerberos principal properly when fetching
trust topology
For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.
For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.
Part of trust refactoring series.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Fixes: https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
ipalib/plugins/trust.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index c7546692bdd8dd827ee9772b72a758042d97aa71..173463ae7d4134b5bd155cc5fa920bfabd0a6958 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1479,7 +1479,12 @@ class trustdomain_del(LDAPDelete):
def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
trust_name = trust_entry['cn'][0]
- creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options)
+ # We want to use Kerberos if we have admin credentials even with SMB calls
+ # as eventually use of NTLMSSP will be deprecated for trusted domain operations
+ # If admin credentials are missing, 'creds' will be None and fetch_domains
+ # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
+ # as well.
+ creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
server = options.get('realm_server', None)
domains = ipaserver.dcerpc.fetch_domains(myapi,
trustinstance.local_flatname,
--
2.4.3