|
|
c58629 |
From efdbea05f716700d8ed659430a6b501b41de0e54 Mon Sep 17 00:00:00 2001
|
|
|
c58629 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
c58629 |
Date: Thu, 19 Oct 2017 13:21:05 +0300
|
|
|
c58629 |
Subject: [PATCH] adtrust: filter out subdomains when defining our topology to
|
|
|
c58629 |
AD
|
|
|
c58629 |
|
|
|
c58629 |
When definining a topology of a forest to be visible over a cross-forest
|
|
|
c58629 |
trust, we set *.<forest name> as all-catch top level name already.
|
|
|
c58629 |
|
|
|
c58629 |
This means that all DNS subdomains of the forest will already be matched
|
|
|
c58629 |
by this top level name (TLN). If we add more TLNs for subdomains, Active
|
|
|
c58629 |
Directory will respond with NT_STATUS_INVALID_PARAMETER.
|
|
|
c58629 |
|
|
|
c58629 |
Filter out all subdomains of the forest root domain. All other realm
|
|
|
c58629 |
domains will be added with explicit TLN records.
|
|
|
c58629 |
|
|
|
c58629 |
Also filter out single label domains. These aren't possible to add as
|
|
|
c58629 |
TLNs to Windows Server 2016 as it considers them incorrect. Given that
|
|
|
c58629 |
we do not allow single lable domains as part of freeIPA installs, this
|
|
|
c58629 |
is another layer of protection here.
|
|
|
c58629 |
|
|
|
c58629 |
Fixes https://pagure.io/freeipa/issue/6666
|
|
|
c58629 |
|
|
|
c58629 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
c58629 |
---
|
|
|
c58629 |
ipaserver/dcerpc.py | 16 ++++++++++++++++
|
|
|
c58629 |
1 file changed, 16 insertions(+)
|
|
|
c58629 |
|
|
|
c58629 |
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
|
c58629 |
index d684a17cabe43bbbd43d29f75f534b6e50fccd12..aa63cd9db0a1d47b5309cc6bed2ff7584760a39d 100644
|
|
|
c58629 |
--- a/ipaserver/dcerpc.py
|
|
|
c58629 |
+++ b/ipaserver/dcerpc.py
|
|
|
c58629 |
@@ -50,6 +50,7 @@ import samba
|
|
|
c58629 |
|
|
|
c58629 |
import ldap as _ldap
|
|
|
c58629 |
from ipapython import ipaldap
|
|
|
c58629 |
+from ipapython.dnsutil import DNSName
|
|
|
c58629 |
from dns import resolver, rdatatype
|
|
|
c58629 |
from dns.exception import DNSException
|
|
|
c58629 |
import pysss_nss_idmap
|
|
|
c58629 |
@@ -1589,7 +1590,22 @@ class TrustDomainJoins(object):
|
|
|
c58629 |
entry.single_value.get('modifytimestamp').timetuple()
|
|
|
c58629 |
)*1e7+116444736000000000)
|
|
|
c58629 |
|
|
|
c58629 |
+ forest = DNSName(self.local_domain.info['dns_forest'])
|
|
|
c58629 |
+ # tforest is IPA forest. keep the line below for future checks
|
|
|
c58629 |
+ # tforest = DNSName(self.remote_domain.info['dns_forest'])
|
|
|
c58629 |
for dom in realm_domains['associateddomain']:
|
|
|
c58629 |
+ d = DNSName(dom)
|
|
|
c58629 |
+
|
|
|
c58629 |
+ # We should skip all DNS subdomains of our forest
|
|
|
c58629 |
+ # because we are going to add *.<forest> TLN anyway
|
|
|
c58629 |
+ if forest.is_superdomain(d) and forest != d:
|
|
|
c58629 |
+ continue
|
|
|
c58629 |
+
|
|
|
c58629 |
+ # We also should skip single label TLDs as they
|
|
|
c58629 |
+ # cannot be added as TLNs
|
|
|
c58629 |
+ if len(d.labels) == 1:
|
|
|
c58629 |
+ continue
|
|
|
c58629 |
+
|
|
|
c58629 |
ftinfo = dict()
|
|
|
c58629 |
ftinfo['rec_name'] = dom
|
|
|
c58629 |
ftinfo['rec_time'] = trust_timestamp
|
|
|
c58629 |
--
|
|
|
c58629 |
2.13.6
|
|
|
c58629 |
|