rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0089-trusts-format-Kerberos-principal-properly-when-fetch.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   f2e539214d4d2b291552fcf90fb5df88f8e5b2d5
  2.   SOURCES
  3.   0089-trusts-format-Kerberos-principal-properly-when-fetch.patch
Blob History Raw
590d18 
From e9fdf223cdb39e685ad9c57a7348016917d5cba2 Mon Sep 17 00:00:00 2001
590d18 
From: Alexander Bokovoy <abokovoy@redhat.com>
590d18 
Date: Thu, 20 Aug 2015 15:12:42 +0300
590d18 
Subject: [PATCH] trusts: format Kerberos principal properly when fetching
590d18 
 trust topology
590d18
590d18 
For bidirectional trust if we have AD administrator credentials, we
590d18 
should be using them with Kerberos authentication. If we don't have
590d18 
AD administrator credentials, we should be using
590d18 
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
590d18 
formatting 'creds' object in Kerberos style.
590d18
590d18 
For one-way trust we'll be fetching trust topology as TDO object,
590d18 
authenticating with pre-created Kerberos credentials cache, so in all
590d18 
cases we do use Kerberos authentication to talk to Active Directory
590d18 
domain controllers over cross-forest trust link.
590d18
590d18 
Part of trust refactoring series.
590d18 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
590d18 
Fixes: https://fedorahosted.org/freeipa/ticket/5182
590d18 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
590d18 
---
590d18 
 ipalib/plugins/trust.py | 7 ++++++-
590d18 
 1 file changed, 6 insertions(+), 1 deletion(-)
590d18
590d18 
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
590d18 
index c7546692bdd8dd827ee9772b72a758042d97aa71..173463ae7d4134b5bd155cc5fa920bfabd0a6958 100644
590d18 
--- a/ipalib/plugins/trust.py
590d18 
+++ b/ipalib/plugins/trust.py
590d18 
@@ -1479,7 +1479,12 @@ class trustdomain_del(LDAPDelete):
590d18
590d18 
 def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
590d18 
     trust_name = trust_entry['cn'][0]
590d18 
-    creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options)
590d18 
+    # We want to use Kerberos if we have admin credentials even with SMB calls
590d18 
+    # as eventually use of NTLMSSP will be deprecated for trusted domain operations
590d18 
+    # If admin credentials are missing, 'creds' will be None and fetch_domains
590d18 
+    # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
590d18 
+    # as well.
590d18 
+    creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
590d18 
     server = options.get('realm_server', None)
590d18 
     domains = ipaserver.dcerpc.fetch_domains(myapi,
590d18 
                                              trustinstance.local_flatname,
590d18 
--
590d18 
2.4.3
590d18

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation