From f06e746602f34a1c60580fe3bbb105a8a1cab8a2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 12 Mar 2014 19:01:00 +0200
Subject: [PATCH 60/60] trust: do not fetch subdomains in case shared secret
 was used to set up the trust

Until incoming trust is validated from AD side, we cannot run any operations
against AD using the trust. Also, Samba currently does not suport verifying
trust against the other party (returns WERR_NOT_SUPPORTED).

This needs to be added to the documentation:

   When using 'ipa trust-add ad.domain --trust-secret', one has to manually
   validate incoming trust using forest trust properties in AD Domains and
   Trusts tool.

   Once incoming trust is validated at AD side, use IPA command
   'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
   From this point on the trust should be usable.

https://fedorahosted.org/freeipa/ticket/4246

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/trust.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index f2b00a6f58f5890e37aaa033a35dcf9bc39ccbc4..fe2795cad86e173a150f35db6301119930463a10 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -462,7 +462,8 @@ def execute(self, *keys, **options):
         # for AD trusts, regardless of the type of idranges associated with it
         # Note that fetch_domains_from_trust will add needed ranges for
         # the algorithmic ID mapping case.
-        if options.get('trust_type') == u'ad':
+        if (options.get('trust_type') == u'ad' and
+            options.get('trust_secret') is None):
             domains = fetch_domains_from_trust(self, self.trustinstance,
                                                result['result'], **options)
 
-- 
1.8.5.3