martbab's pull request #46: "Always fetch forest info from root DCs when establishing two-way trust" was opened
PR body: """ Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/46 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/46/head:pr46 git checkout pr46
From 5a70f5dc53067f7a21a4fc60f95d7b11b2220611 Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Thu, 1 Sep 2016 09:30:23 +0200 Subject: [PATCH] Always fetch forest info from root DCs when establishing two-way trust Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 --- ipaserver/plugins/trust.py | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 65dc1f4..8f8f987 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -770,7 +770,7 @@ def execute(self, *keys, **options): # Bidirectional trust allows us to use cross-realm TGT, so we can # run the call under original user's credentials res = fetch_domains_from_trust(self.api, self.trustinstance, - result['result'], **options) + **options) domains = add_new_domains_from_trust(self.api, self.trustinstance, result['result'], res, **options) else: @@ -1631,8 +1631,21 @@ def execute(self, *keys, **options): return result -def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): - trust_name = trust_entry['cn'][0] +def fetch_domains_from_trust(myapi, trustinstance, **options): + """ + Contact trust forest root DC and fetch trusted forest topology information. + + :param myapi: API instance + :param trustinstance: Initialized instance of `dcerpc.TrustDomainJoins` + class + :param options: options passed from API command's `execute()` method + + :returns: dict containing forest domain information and forest-wide UPN + suffixes (if any) + """ + + forest_root_name = trustinstance.remote_domain.info['dns_forest'] + # We want to use Kerberos if we have admin credentials even with SMB calls # as eventually use of NTLMSSP will be deprecated for trusted domain operations # If admin credentials are missing, 'creds' will be None and fetch_domains @@ -1640,10 +1653,10 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): # as well. creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) server = options.get('realm_server', None) - domains = ipaserver.dcerpc.fetch_domains(myapi, - trustinstance.local_flatname, - trust_name, creds=creds, - server=server) + domains = ipaserver.dcerpc.fetch_domains( + myapi, trustinstance.local_flatname, forest_root_name, creds=creds, + server=server) + return domains @@ -1749,7 +1762,7 @@ def execute(self, *keys, **options): 'on the IPA server first' ) ) - res = fetch_domains_from_trust(self.api, trustinstance, trust, **options) + res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options) if len(domains) > 0:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
