From 504e8701fd7870b18febe9b544244d5d2744bb16 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Wed, 26 Feb 2014 17:43:34 +0200

Subject: [PATCH 53/53] ipaserver/dcerpc: catch the case of insuffient

 permissions when establishing trust

We attempt to delete the trust that might exist already. If there are not enough

privileges to do so, we wouldn't be able to create trust at the next step and it will fail.

However, failure to create trust will be due to the name collision as we already had

the trust with the same name before. Thus, raise access denied exception here

to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.

https://fedorahosted.org/freeipa/ticket/4202

Reviewed-By: Martin Kosek <mkosek@redhat.com>

---

 ipaserver/dcerpc.py | 7 +++++--

 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py

index d809c416baac072a2489fbd3c167f08665b7a24e..5972e622292a033d4fc979cbf5401fa02151f35c 100644

--- a/ipaserver/dcerpc.py

+++ b/ipaserver/dcerpc.py

@@ -892,8 +892,11 @@ def establish_trust(self, another_domain, trustdom_secret):

             dname.string = another_domain.info['dns_domain']

             res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)

             self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)

-        except RuntimeError, e:

-            pass

+        except RuntimeError, (num, message):

+            # Ignore anything but access denied (NT_STATUS_ACCESS_DENIED)

+            if num == -1073741790:

+                raise access_denied_error

+

         try:

             trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE)

         except RuntimeError, (num, message):

-- 

1.8.5.3