rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0116-Always-fetch-forest-info-from-root-DCs-when-establis.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   53a374936ca448d4897930910a79131c0085a284
  2.   SOURCES
  3.   0116-Always-fetch-forest-info-from-root-DCs-when-establis.patch
Blob History Raw
403b09 
From 6686a4d8906f283a394eb9991af1ab6b66d5dfd1 Mon Sep 17 00:00:00 2001
403b09 
From: Martin Babinsky <mbabinsk@redhat.com>
403b09 
Date: Thu, 1 Sep 2016 18:14:22 +0200
403b09 
Subject: [PATCH] Always fetch forest info from root DCs when establishing
403b09 
 one-way trust
403b09
403b09 
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
403b09 
performed against non-root forest domain DCs were automatically routed to
403b09 
the root domain DCs to resolve trust topology information.
403b09
403b09 
This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
403b09 
helper used to establish one-way needs to explicitly contact root domain DCs
403b09 
even in the case when an external trust to non-root domain is requested.
403b09
403b09 
https://fedorahosted.org/freeipa/ticket/6057
403b09
403b09 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
403b09 
---
403b09 
 install/oddjob/com.redhat.idm.trust-fetch-domains | 25 ++++++++++++++++++++++-
403b09 
 1 file changed, 24 insertions(+), 1 deletion(-)
403b09
403b09 
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
403b09 
index bffa021cd4f01d31b7271d1ad84420884ce8d99e..32406ac9274f63251180a1e1051e1f1e60f5ecec 100755
403b09 
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
403b09 
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
403b09 
@@ -40,6 +40,24 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
403b09 
         pass
403b09
403b09
403b09 
+def get_forest_root_domain(api_instance, trusted_domain):
403b09 
+    """
403b09 
+    retrieve trusted forest root domain for given domain name
403b09 
+
403b09 
+    :param api_instance: IPA API instance
403b09 
+    :param trusted_domain: trusted domain name
403b09 
+
403b09 
+    :returns: forest root domain DNS name
403b09 
+    """
403b09 
+    trustconfig_show = api_instance.Command.trustconfig_show
403b09 
+    flatname = trustconfig_show()['result']['ipantflatname'][0]
403b09 
+
403b09 
+    remote_domain = dcerpc.retrieve_remote_domain(
403b09 
+        api_instance.env.host, flatname, trusted_domain)
403b09 
+
403b09 
+    return remote_domain.info['dns_forest']
403b09 
+
403b09 
+
403b09 
 def parse_options():
403b09 
     usage = "%prog <trusted domain name>\n"
403b09 
     parser = config.IPAOptionParser(usage=usage,
403b09 
@@ -169,7 +187,12 @@ except gssapi.exceptions.GSSError:
403b09 
 # We are done: we have ccache with TDO credentials and can fetch domains
403b09 
 ipa_domain = api.env.domain
403b09 
 os.environ['KRB5CCNAME'] = oneway_ccache_name
403b09 
-domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True)
403b09 
+
403b09 
+# retrieve the forest root domain name and contact it to retrieve trust
403b09 
+# topology info
403b09 
+forest_root = get_forest_root_domain(api, trusted_domain)
403b09 
+
403b09 
+domains = dcerpc.fetch_domains(api, ipa_domain, forest_root, creds=True)
403b09 
 trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result']
403b09 
 trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
403b09
403b09 
--
403b09 
2.7.4
403b09

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation