[Freeipa-devel] [freeipa PR#40] do not use trusted forest name to construct domain admin principal (opened)

Wed, 31 Aug 2016 05:19:13 -0700 

martbab's pull request #40: "do not use trusted forest name to construct domain 
admin principal" was opened

PR body:
"""
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/40
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/40/head:pr40
git checkout pr40

From ebce3c0cdf8a4b1df35614187c782551c2c590eb Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 31 Aug 2016 13:59:14 +0200
Subject: [PATCH] do not use trusted forest name to construct domain admin
 principal

When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277
---
 ipaserver/plugins/trust.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 26f85c2..65dc1f4 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -319,7 +319,7 @@ def generate_creds(trustinstance, style, **options):
             else:
                sp = admin_name.split(sep)
             if len(sp) == 1:
-                sp.append(trustinstance.remote_domain.info['dns_forest'].upper())
+                sp.append(trustinstance.remote_domain.info['dns_domain'].upper())
         creds = u"{name}%{password}".format(name=sep.join(sp),
                                             password=password)
     return creds

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to