URL: https://github.com/freeipa/freeipa/pull/1295
Author: abbra
 Title: #1295: [Backport][ipa-4-6] adtrust: filter out subdomains when defining 
our topology to AD
Action: opened

PR body:
This PR was opened automatically because PR #1179 was pushed to master and 
backport to ipa-4-6 is required.

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1295/head:pr1295
git checkout pr1295
From b0c970919a2d3f97801bbeb84d780379b9327ceb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 19 Oct 2017 13:21:05 +0300
Subject: [PATCH] adtrust: filter out subdomains when defining our topology to

When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.

This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.

Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.

Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.

Fixes https://pagure.io/freeipa/issue/6666
 ipaserver/dcerpc.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 287122c516..ff71834097 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -47,6 +47,7 @@
 import ldap as _ldap
 from ipapython import ipaldap
+from ipapython.dnsutil import DNSName
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 import pysss_nss_idmap
@@ -1601,7 +1602,22 @@ def get_realmdomains(self):
+        forest = DNSName(self.local_domain.info['dns_forest'])
+        # tforest is IPA forest. keep the line below for future checks
+        # tforest = DNSName(self.remote_domain.info['dns_forest'])
         for dom in realm_domains['associateddomain']:
+            d = DNSName(dom)
+            # We should skip all DNS subdomains of our forest
+            # because we are going to add *.<forest> TLN anyway
+            if forest.is_superdomain(d) and forest != d:
+                continue
+            # We also should skip single label TLDs as they
+            # cannot be added as TLNs
+            if len(d.labels) == 1:
+                continue
             ftinfo = dict()
             ftinfo['rec_name'] = dom
             ftinfo['rec_time'] = trust_timestamp
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to