subject:"\[Freeipa\-devel\] \[PATCH 0357\] trusts\: Detect domain clash with IPA domain when adding a AD"

Re: [Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

2015-08-17 Thread Martin Babinsky


On 08/06/2015 10:55 AM, Tomas Babej wrote:

Hi,

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549




ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

2015-08-17 Thread Martin Basti




On 08/17/2015 02:58 PM, Martin Babinsky wrote:

On 08/06/2015 10:55 AM, Tomas Babej wrote:

Hi,

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549




ACK


Pushed to:
master: 9ce074b36a54a450c91ac0151c345481da120290
ipa-4-2: 5fd2a893e65ba6cc888de930f76b2e48ba460b8d

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

2015-08-06 Thread Tomas Babej

Hi,

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549
From ea8b725d5bc4c31a03dc998ef85d91d463542b8c Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 6 Aug 2015 10:54:47 +0200
Subject: [PATCH] trusts: Detect domain clash with IPA domain when adding a AD
 trust

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549
---
 ipalib/plugins/trust.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ba80eefe4735a8800cc530e60b4435c3d8cdcf4d..b64a550216ea534ce58d6c825484ebe837671462 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -730,6 +730,14 @@ sides.
 error=_('only ad is supported')
 )
 
+# Detect IPA-AD domain clash
+if self.api.env.domain.lower() == trusted_realm_domain.lower():
+raise errors.ValidationError(
+name=_('domain'),
+error=_('Cannot establish a trust to AD deployed in the same '
+'domain as IPA. Such setup is not supported.')
+)
+
 # If domain name and realm does not match, IPA server is not be able
 # to establish trust with Active Directory.
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

Re: [Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

[Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

3 matches

Site Navigation

Mail list logo

Footer information