Hi, this patch fixes a case when non-privileged AD user account is used to re-establish trust. We need to catch one specific exception in deleting the old trust and bail out earlier with proper error message.
https://fedorahosted.org/freeipa/ticket/4202 -- / Alexander Bokovoy
>From 1ffd12988778fd9fcec3ad5436fd79753087ebfb Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Wed, 26 Feb 2014 17:43:34 +0200 Subject: [PATCH 6/6] ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust We attempt to delete the trust that might exist already. If there are not enough privileges to do so, we wouldn't be able to create trust at the next step and it will fail. However, failure to create trust will be due to the name collision as we already had the trust with the same name before. Thus, raise access denied exception here to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. https://fedorahosted.org/freeipa/ticket/4202 --- ipaserver/dcerpc.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index d809c41..5972e62 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -892,8 +892,11 @@ class TrustDomainInstance(object): dname.string = another_domain.info['dns_domain'] res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO) self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) - except RuntimeError, e: - pass + except RuntimeError, (num, message): + # Ignore anything but access denied (NT_STATUS_ACCESS_DENIED) + if num == -1073741790: + raise access_denied_error + try: trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) except RuntimeError, (num, message): -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
