From 95d17d4e632effc37eda54e77a71cbf2cf2f888c Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Thu, 1 Sep 2016 09:30:23 +0200

Subject: [PATCH] Always fetch forest info from root DCs when establishing

 two-way trust

Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls

performed against non-root forest domain DCs were automatically routed to the

root domain DCs to resolve trust topology information.

This is no longer the case, so the `dcerpc.fetch_domains` function must

explicitly contact root domain DCs even in the case when an external two-way

trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/plugins/trust.py | 29 +++++++++++++++++++++--------

 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py

index 8ed96c253e7c7862f60ad668aa6c252038274624..b3cb56c14496c0d56d3f3fedddee8d123f929344 100644

--- a/ipaserver/plugins/trust.py

+++ b/ipaserver/plugins/trust.py

@@ -770,7 +770,7 @@ sides.

                 # Bidirectional trust allows us to use cross-realm TGT, so we can

                 # run the call under original user's credentials

                 res = fetch_domains_from_trust(self.api, self.trustinstance,

-                                               result['result'], **options)

+                                               **options)

                 domains = add_new_domains_from_trust(self.api, self.trustinstance,

                                                      result['result'], res, **options)

             else:

@@ -1631,8 +1631,21 @@ class trustdomain_del(LDAPDelete):

         return result

-def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):

-    trust_name = trust_entry['cn'][0]

+def fetch_domains_from_trust(myapi, trustinstance, **options):

+    """

+    Contact trust forest root DC and fetch trusted forest topology information.

+

+    :param myapi: API instance

+    :param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins`

+        class

+    :param options: options passed from API command's `execute()` method

+

+    :returns: dict containing forest domain information and forest-wide UPN

+        suffixes (if any)

+    """

+

+    forest_root_name = trustinstance.remote_domain.info['dns_forest']

+

     # We want to use Kerberos if we have admin credentials even with SMB calls

     # as eventually use of NTLMSSP will be deprecated for trusted domain operations

     # If admin credentials are missing, 'creds' will be None and fetch_domains

@@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):

     # as well.

     creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)

     server = options.get('realm_server', None)

-    domains = ipaserver.dcerpc.fetch_domains(myapi,

-                                             trustinstance.local_flatname,

-                                             trust_name, creds=creds,

-                                             server=server)

+    domains = ipaserver.dcerpc.fetch_domains(

+        myapi, trustinstance.local_flatname, forest_root_name, creds=creds,

+        server=server)

+

     return domains

@@ -1749,7 +1762,7 @@ class trust_fetch_domains(LDAPRetrieve):

                     'on the IPA server first'

                 )

             )

-        res = fetch_domains_from_trust(self.api, trustinstance, trust, **options)

+        res = fetch_domains_from_trust(self.api, trustinstance, **options)

         domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options)

         if len(domains) > 0:

-- 

2.7.4