From efdbea05f716700d8ed659430a6b501b41de0e54 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 19 Oct 2017 13:21:05 +0300 Subject: [PATCH] adtrust: filter out subdomains when defining our topology to AD When definining a topology of a forest to be visible over a cross-forest trust, we set *. as all-catch top level name already. This means that all DNS subdomains of the forest will already be matched by this top level name (TLN). If we add more TLNs for subdomains, Active Directory will respond with NT_STATUS_INVALID_PARAMETER. Filter out all subdomains of the forest root domain. All other realm domains will be added with explicit TLN records. Also filter out single label domains. These aren't possible to add as TLNs to Windows Server 2016 as it considers them incorrect. Given that we do not allow single lable domains as part of freeIPA installs, this is another layer of protection here. Fixes https://pagure.io/freeipa/issue/6666 Reviewed-By: Christian Heimes --- ipaserver/dcerpc.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index d684a17cabe43bbbd43d29f75f534b6e50fccd12..aa63cd9db0a1d47b5309cc6bed2ff7584760a39d 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -50,6 +50,7 @@ import samba import ldap as _ldap from ipapython import ipaldap +from ipapython.dnsutil import DNSName from dns import resolver, rdatatype from dns.exception import DNSException import pysss_nss_idmap @@ -1589,7 +1590,22 @@ class TrustDomainJoins(object): entry.single_value.get('modifytimestamp').timetuple() )*1e7+116444736000000000) + forest = DNSName(self.local_domain.info['dns_forest']) + # tforest is IPA forest. keep the line below for future checks + # tforest = DNSName(self.remote_domain.info['dns_forest']) for dom in realm_domains['associateddomain']: + d = DNSName(dom) + + # We should skip all DNS subdomains of our forest + # because we are going to add *. TLN anyway + if forest.is_superdomain(d) and forest != d: + continue + + # We also should skip single label TLDs as they + # cannot be added as TLNs + if len(d.labels) == 1: + continue + ftinfo = dict() ftinfo['rec_name'] = dom ftinfo['rec_time'] = trust_timestamp -- 2.13.6