From 95d17d4e632effc37eda54e77a71cbf2cf2f888c Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 1 Sep 2016 09:30:23 +0200 Subject: [PATCH] Always fetch forest info from root DCs when establishing two-way trust Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 Reviewed-By: Alexander Bokovoy --- ipaserver/plugins/trust.py | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 8ed96c253e7c7862f60ad668aa6c252038274624..b3cb56c14496c0d56d3f3fedddee8d123f929344 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -770,7 +770,7 @@ sides. # Bidirectional trust allows us to use cross-realm TGT, so we can # run the call under original user's credentials res = fetch_domains_from_trust(self.api, self.trustinstance, - result['result'], **options) + **options) domains = add_new_domains_from_trust(self.api, self.trustinstance, result['result'], res, **options) else: @@ -1631,8 +1631,21 @@ class trustdomain_del(LDAPDelete): return result -def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): - trust_name = trust_entry['cn'][0] +def fetch_domains_from_trust(myapi, trustinstance, **options): + """ + Contact trust forest root DC and fetch trusted forest topology information. + + :param myapi: API instance + :param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins` + class + :param options: options passed from API command's `execute()` method + + :returns: dict containing forest domain information and forest-wide UPN + suffixes (if any) + """ + + forest_root_name = trustinstance.remote_domain.info['dns_forest'] + # We want to use Kerberos if we have admin credentials even with SMB calls # as eventually use of NTLMSSP will be deprecated for trusted domain operations # If admin credentials are missing, 'creds' will be None and fetch_domains @@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): # as well. creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) server = options.get('realm_server', None) - domains = ipaserver.dcerpc.fetch_domains(myapi, - trustinstance.local_flatname, - trust_name, creds=creds, - server=server) + domains = ipaserver.dcerpc.fetch_domains( + myapi, trustinstance.local_flatname, forest_root_name, creds=creds, + server=server) + return domains @@ -1749,7 +1762,7 @@ class trust_fetch_domains(LDAPRetrieve): 'on the IPA server first' ) ) - res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) + res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0: -- 2.7.4