|
 |
590d18 |
From eb8651626099df8df14e12b905aace0be5c37ded Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Tomas Babej <tbabej@redhat.com>
|
|
|
590d18 |
Date: Wed, 15 Jul 2015 14:22:48 +0200
|
|
|
590d18 |
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains
|
|
|
590d18 |
|
|
|
590d18 |
Check for the presence of the forest root DNS domain of the AD realm
|
|
|
590d18 |
among the IPA realm domains prior to esablishing the trust.
|
|
|
590d18 |
|
|
|
590d18 |
This prevents creation of a failing setup, as trusts would not work
|
|
|
590d18 |
properly in this case.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/4799
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
590d18 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipalib/plugins/trust.py | 21 ++++++++++++++++++++-
|
|
|
590d18 |
1 file changed, 20 insertions(+), 1 deletion(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
|
|
|
590d18 |
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..6232e4fe9d3d5e957d22a3557cdcf4bb12cec0ea 100644
|
|
|
590d18 |
--- a/ipalib/plugins/trust.py
|
|
|
590d18 |
+++ b/ipalib/plugins/trust.py
|
|
|
590d18 |
@@ -640,6 +640,8 @@ sides.
|
|
|
590d18 |
self.params['realm_passwd'].label, confirm=False)
|
|
|
590d18 |
|
|
|
590d18 |
def validate_options(self, *keys, **options):
|
|
|
590d18 |
+ trusted_realm_domain = keys[-1]
|
|
|
590d18 |
+
|
|
|
590d18 |
if not _bindings_installed:
|
|
|
590d18 |
raise errors.NotFound(
|
|
|
590d18 |
name=_('AD Trust setup'),
|
|
|
590d18 |
@@ -692,6 +694,23 @@ sides.
|
|
|
590d18 |
)
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
590d18 |
+ # Obtain a list of IPA realm domains
|
|
|
590d18 |
+ result = self.api.Command.realmdomains_show()['result']
|
|
|
590d18 |
+ realm_domains = result['associateddomain']
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # Do not allow the AD's trusted realm domain in the list
|
|
|
590d18 |
+ # of our realm domains
|
|
|
590d18 |
+ if trusted_realm_domain.lower() in realm_domains:
|
|
|
590d18 |
+ raise errors.ValidationError(
|
|
|
590d18 |
+ name=_('AD Trust setup'),
|
|
|
590d18 |
+ error=_(
|
|
|
590d18 |
+ 'Trusted domain %(domain)s is included among '
|
|
|
590d18 |
+ 'IPA realm domains. It needs to be removed '
|
|
|
590d18 |
+ 'prior to establishing the trust. See the '
|
|
|
590d18 |
+ '"ipa realmdomains-mod --del-domain" command.'
|
|
|
590d18 |
+ ) % dict(domain=trusted_realm_domain)
|
|
|
590d18 |
+ )
|
|
|
590d18 |
+
|
|
|
590d18 |
self.realm_server = options.get('realm_server')
|
|
|
590d18 |
self.realm_admin = options.get('realm_admin')
|
|
|
590d18 |
self.realm_passwd = options.get('realm_passwd')
|
|
|
590d18 |
@@ -702,7 +721,7 @@ sides.
|
|
|
590d18 |
if len(names) > 1:
|
|
|
590d18 |
# realm admin name is in UPN format, user@realm, check that
|
|
|
590d18 |
# realm is the same as the one that we are attempting to trust
|
|
|
590d18 |
- if keys[-1].lower() != names[-1].lower():
|
|
|
590d18 |
+ if trusted_realm_domain.lower() != names[-1].lower():
|
|
|
590d18 |
raise errors.ValidationError(
|
|
|
590d18 |
name=_('AD Trust setup'),
|
|
|
590d18 |
error=_(
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|