c58629
From efdbea05f716700d8ed659430a6b501b41de0e54 Mon Sep 17 00:00:00 2001
c58629
From: Alexander Bokovoy <abokovoy@redhat.com>
c58629
Date: Thu, 19 Oct 2017 13:21:05 +0300
c58629
Subject: [PATCH] adtrust: filter out subdomains when defining our topology to
c58629
 AD
c58629
c58629
When definining a topology of a forest to be visible over a cross-forest
c58629
trust, we set *.<forest name> as all-catch top level name already.
c58629
c58629
This means that all DNS subdomains of the forest will already be matched
c58629
by this top level name (TLN). If we add more TLNs for subdomains, Active
c58629
Directory will respond with NT_STATUS_INVALID_PARAMETER.
c58629
c58629
Filter out all subdomains of the forest root domain. All other realm
c58629
domains will be added with explicit TLN records.
c58629
c58629
Also filter out single label domains. These aren't possible to add as
c58629
TLNs to Windows Server 2016 as it considers them incorrect. Given that
c58629
we do not allow single lable domains as part of freeIPA installs, this
c58629
is another layer of protection here.
c58629
c58629
Fixes https://pagure.io/freeipa/issue/6666
c58629
c58629
Reviewed-By: Christian Heimes <cheimes@redhat.com>
c58629
---
c58629
 ipaserver/dcerpc.py | 16 ++++++++++++++++
c58629
 1 file changed, 16 insertions(+)
c58629
c58629
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
c58629
index d684a17cabe43bbbd43d29f75f534b6e50fccd12..aa63cd9db0a1d47b5309cc6bed2ff7584760a39d 100644
c58629
--- a/ipaserver/dcerpc.py
c58629
+++ b/ipaserver/dcerpc.py
c58629
@@ -50,6 +50,7 @@ import samba
c58629
 
c58629
 import ldap as _ldap
c58629
 from ipapython import ipaldap
c58629
+from ipapython.dnsutil import DNSName
c58629
 from dns import resolver, rdatatype
c58629
 from dns.exception import DNSException
c58629
 import pysss_nss_idmap
c58629
@@ -1589,7 +1590,22 @@ class TrustDomainJoins(object):
c58629
                      entry.single_value.get('modifytimestamp').timetuple()
c58629
                 )*1e7+116444736000000000)
c58629
 
c58629
+        forest = DNSName(self.local_domain.info['dns_forest'])
c58629
+        # tforest is IPA forest. keep the line below for future checks
c58629
+        # tforest = DNSName(self.remote_domain.info['dns_forest'])
c58629
         for dom in realm_domains['associateddomain']:
c58629
+            d = DNSName(dom)
c58629
+
c58629
+            # We should skip all DNS subdomains of our forest
c58629
+            # because we are going to add *.<forest> TLN anyway
c58629
+            if forest.is_superdomain(d) and forest != d:
c58629
+                continue
c58629
+
c58629
+            # We also should skip single label TLDs as they
c58629
+            # cannot be added as TLNs
c58629
+            if len(d.labels) == 1:
c58629
+                continue
c58629
+
c58629
             ftinfo = dict()
c58629
             ftinfo['rec_name'] = dom
c58629
             ftinfo['rec_time'] = trust_timestamp
c58629
-- 
c58629
2.13.6
c58629