On 07/15/2015 02:31 PM, Alexander Bokovoy wrote:
> On Wed, 15 Jul 2015, Tomas Babej wrote:
>> Hi,
>>
>> Check for the presence of the forest root DNS domain of the AD realm
>> among the IPA realm domains prior to esablishing the trust.
>>
>> This prevents creation of a failing setup, as trusts would not work
>> properly in this case.
>>
>> https://fedorahosted.org/freeipa/ticket/4799
> LGTM.
> 
> The only comment I have is for the error message text. Would it make
> sense to point to 'ipa realmdomans-mod --del-domain' command?
> 
> 

Sure, why not.

I actually abstained from generating the whole command (including the AD
domain argument), as I believe it's better the users are discouraged
from blindly copying commands around.

Updated patch attached.

Toams
From 345abc73709bb20f2bb6f57b9109be86463fc8d2 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 15 Jul 2015 14:22:48 +0200
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains

Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799
---
 ipalib/plugins/trust.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..6232e4fe9d3d5e957d22a3557cdcf4bb12cec0ea 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
                            self.params['realm_passwd'].label, confirm=False)
 
     def validate_options(self, *keys, **options):
+        trusted_realm_domain = keys[-1]
+
         if not _bindings_installed:
             raise errors.NotFound(
                 name=_('AD Trust setup'),
@@ -692,6 +694,23 @@ sides.
                 )
             )
 
+        # Obtain a list of IPA realm domains
+        result = self.api.Command.realmdomains_show()['result']
+        realm_domains = result['associateddomain']
+
+        # Do not allow the AD's trusted realm domain in the list
+        # of our realm domains
+        if trusted_realm_domain.lower() in realm_domains:
+            raise errors.ValidationError(
+                name=_('AD Trust setup'),
+                error=_(
+                    'Trusted domain %(domain)s is included among '
+                    'IPA realm domains. It needs to be removed '
+                    'prior to establishing the trust. See the '
+                    '"ipa realmdomains-mod --del-domain" command.'
+                ) % dict(domain=trusted_realm_domain)
+            )
+
         self.realm_server = options.get('realm_server')
         self.realm_admin = options.get('realm_admin')
         self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +721,7 @@ sides.
             if len(names) > 1:
                 # realm admin name is in UPN format, user@realm, check that
                 # realm is the same as the one that we are attempting to trust
-                if keys[-1].lower() != names[-1].lower():
+                if trusted_realm_domain.lower() != names[-1].lower():
                     raise errors.ValidationError(
                         name=_('AD Trust setup'),
                         error=_(
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to