|
 |
8f4e66 |
From 079fdf41592559de96465080e81aa91252c01a3d Mon Sep 17 00:00:00 2001
|
|
|
8f4e66 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
8f4e66 |
Date: Tue, 19 Aug 2014 16:24:27 +0300
|
|
|
8f4e66 |
Subject: [PATCH] ipaserver/dcerpc.py: Make sure trust is established only to
|
|
|
8f4e66 |
forest root domain
|
|
|
8f4e66 |
|
|
|
8f4e66 |
Part of https://fedorahosted.org/freeipa/ticket/4463
|
|
|
8f4e66 |
|
|
|
8f4e66 |
Reviewed-By: Sumit Bose <sbose@redhat.com>
|
|
|
8f4e66 |
---
|
|
|
8f4e66 |
ipalib/errors.py | 16 ++++++++++++++++
|
|
|
8f4e66 |
ipaserver/dcerpc.py | 6 ++++++
|
|
|
8f4e66 |
2 files changed, 22 insertions(+)
|
|
|
8f4e66 |
|
|
|
8f4e66 |
diff --git a/ipalib/errors.py b/ipalib/errors.py
|
|
|
8f4e66 |
index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..405c5c3bfc25d9b024189be9fcf582052dd10dd3 100644
|
|
|
8f4e66 |
--- a/ipalib/errors.py
|
|
|
8f4e66 |
+++ b/ipalib/errors.py
|
|
|
8f4e66 |
@@ -810,6 +810,22 @@ class DeprecationError(InvocationError):
|
|
|
8f4e66 |
errno = 3015
|
|
|
8f4e66 |
format = _("Command '%(name)s' has been deprecated")
|
|
|
8f4e66 |
|
|
|
8f4e66 |
+class NotAForestRootError(InvocationError):
|
|
|
8f4e66 |
+ """
|
|
|
8f4e66 |
+ **3016** Raised when an attempt to establish trust is done against non-root domain
|
|
|
8f4e66 |
+ Forest root domain has the same name as the forest itself
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
+ For example:
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
+ >>> raise NotAForestRootError(forest='example.test', domain='jointops.test')
|
|
|
8f4e66 |
+ Traceback (most recent call last):
|
|
|
8f4e66 |
+ ...
|
|
|
8f4e66 |
+ NotAForestRootError: Domain 'jointops.test' is not a root domain for forest 'example.test'
|
|
|
8f4e66 |
+ """
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
+ errno = 3016
|
|
|
8f4e66 |
+ format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'")
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
|
|
|
8f4e66 |
##############################################################################
|
|
|
8f4e66 |
# 4000 - 4999: Execution errors
|
|
|
8f4e66 |
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
|
8f4e66 |
index fcf1e4e775868f17220cac3c0203cc67dba2f839..41f373df3cc4365727200f3ca4667faac2f9e19c 100644
|
|
|
8f4e66 |
--- a/ipaserver/dcerpc.py
|
|
|
8f4e66 |
+++ b/ipaserver/dcerpc.py
|
|
|
8f4e66 |
@@ -1143,6 +1143,9 @@ class TrustDomainJoins(object):
|
|
|
8f4e66 |
realm_passwd
|
|
|
8f4e66 |
)
|
|
|
8f4e66 |
|
|
|
8f4e66 |
+ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
|
|
|
8f4e66 |
+ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
if not self.remote_domain.read_only:
|
|
|
8f4e66 |
trustdom_pass = samba.generate_random_password(128, 128)
|
|
|
8f4e66 |
self.get_realmdomains()
|
|
|
8f4e66 |
@@ -1159,5 +1162,8 @@ class TrustDomainJoins(object):
|
|
|
8f4e66 |
if not(isinstance(self.remote_domain, TrustDomainInstance)):
|
|
|
8f4e66 |
self.populate_remote_domain(realm, realm_server, realm_passwd=None)
|
|
|
8f4e66 |
|
|
|
8f4e66 |
+ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
|
|
|
8f4e66 |
+ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
|
|
|
8f4e66 |
return dict(local=self.local_domain, remote=self.remote_domain, verified=False)
|
|
|
8f4e66 |
--
|
|
|
8f4e66 |
1.9.3
|
|
|
8f4e66 |
|