From 95d17d4e632effc37eda54e77a71cbf2cf2f888c Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 1 Sep 2016 09:30:23 +0200
Subject: [PATCH] Always fetch forest info from root DCs when establishing
 two-way trust

Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.

This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/trust.py | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 8ed96c253e7c7862f60ad668aa6c252038274624..b3cb56c14496c0d56d3f3fedddee8d123f929344 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -770,7 +770,7 @@ sides.
                 # Bidirectional trust allows us to use cross-realm TGT, so we can
                 # run the call under original user's credentials
                 res = fetch_domains_from_trust(self.api, self.trustinstance,
-                                               result['result'], **options)
+                                               **options)
                 domains = add_new_domains_from_trust(self.api, self.trustinstance,
                                                      result['result'], res, **options)
             else:
@@ -1631,8 +1631,21 @@ class trustdomain_del(LDAPDelete):
         return result
 
 
-def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
-    trust_name = trust_entry['cn'][0]
+def fetch_domains_from_trust(myapi, trustinstance, **options):
+    """
+    Contact trust forest root DC and fetch trusted forest topology information.
+
+    :param myapi: API instance
+    :param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins`
+        class
+    :param options: options passed from API command's `execute()` method
+
+    :returns: dict containing forest domain information and forest-wide UPN
+        suffixes (if any)
+    """
+
+    forest_root_name = trustinstance.remote_domain.info['dns_forest']
+
     # We want to use Kerberos if we have admin credentials even with SMB calls
     # as eventually use of NTLMSSP will be deprecated for trusted domain operations
     # If admin credentials are missing, 'creds' will be None and fetch_domains
@@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
     # as well.
     creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
     server = options.get('realm_server', None)
-    domains = ipaserver.dcerpc.fetch_domains(myapi,
-                                             trustinstance.local_flatname,
-                                             trust_name, creds=creds,
-                                             server=server)
+    domains = ipaserver.dcerpc.fetch_domains(
+        myapi, trustinstance.local_flatname, forest_root_name, creds=creds,
+        server=server)
+
     return domains
 
 
@@ -1749,7 +1762,7 @@ class trust_fetch_domains(LDAPRetrieve):
                     'on the IPA server first'
                 )
             )
-        res = fetch_domains_from_trust(self.api, trustinstance, trust, **options)
+        res = fetch_domains_from_trust(self.api, trustinstance, **options)
         domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options)
 
         if len(domains) > 0:
-- 
2.7.4