|
 |
8f4e66 |
From ba2a63da8bada8af988d8fb8931c0cdba2c7ceee Mon Sep 17 00:00:00 2001
|
|
|
8f4e66 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
8f4e66 |
Date: Tue, 19 Aug 2014 16:22:54 +0300
|
|
|
8f4e66 |
Subject: [PATCH] ipaserver/dcerpc.py: Avoid hitting issue with transitive
|
|
|
8f4e66 |
trusts on Windows Server prior to 2012
|
|
|
8f4e66 |
|
|
|
8f4e66 |
http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83
|
|
|
8f4e66 |
|
|
|
8f4e66 |
Reviewed-By: Sumit Bose <sbose@redhat.com>
|
|
|
8f4e66 |
---
|
|
|
8f4e66 |
ipaserver/dcerpc.py | 13 ++++++++++---
|
|
|
8f4e66 |
1 file changed, 10 insertions(+), 3 deletions(-)
|
|
|
8f4e66 |
|
|
|
8f4e66 |
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
|
8f4e66 |
index 41f373df3cc4365727200f3ca4667faac2f9e19c..e779a12bae52ec8dac52e4a43854a8a3c601a043 100644
|
|
|
8f4e66 |
--- a/ipaserver/dcerpc.py
|
|
|
8f4e66 |
+++ b/ipaserver/dcerpc.py
|
|
|
8f4e66 |
@@ -900,7 +900,7 @@ class TrustDomainInstance(object):
|
|
|
8f4e66 |
info.sid = security.dom_sid(another_domain.info['sid'])
|
|
|
8f4e66 |
info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
|
|
|
8f4e66 |
info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
|
|
|
8f4e66 |
- info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
|
|
|
8f4e66 |
+ info.trust_attributes = 0
|
|
|
8f4e66 |
|
|
|
8f4e66 |
try:
|
|
|
8f4e66 |
dname = lsa.String()
|
|
|
8f4e66 |
@@ -917,8 +917,6 @@ class TrustDomainInstance(object):
|
|
|
8f4e66 |
except RuntimeError, (num, message):
|
|
|
8f4e66 |
raise assess_dcerpc_exception(num=num, message=message)
|
|
|
8f4e66 |
|
|
|
8f4e66 |
- self.update_ftinfo(another_domain)
|
|
|
8f4e66 |
-
|
|
|
8f4e66 |
# We should use proper trustdom handle in order to modify the
|
|
|
8f4e66 |
# trust settings. Samba insists this has to be done with LSA
|
|
|
8f4e66 |
# OpenTrustedDomain* calls, it is not enough to have a handle
|
|
|
8f4e66 |
@@ -937,6 +935,15 @@ class TrustDomainInstance(object):
|
|
|
8f4e66 |
# server as that one doesn't support AES encryption types
|
|
|
8f4e66 |
pass
|
|
|
8f4e66 |
|
|
|
8f4e66 |
+ try:
|
|
|
8f4e66 |
+ info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
|
|
|
8f4e66 |
+ self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info)
|
|
|
8f4e66 |
+ except RuntimeError, e:
|
|
|
8f4e66 |
+ root_logger.error('unable to set trust to transitive: %s' % (str(e)))
|
|
|
8f4e66 |
+ pass
|
|
|
8f4e66 |
+ if self.info['is_pdc']:
|
|
|
8f4e66 |
+ self.update_ftinfo(another_domain)
|
|
|
8f4e66 |
+
|
|
|
8f4e66 |
def verify_trust(self, another_domain):
|
|
|
8f4e66 |
def retrieve_netlogon_info_2(domain, function_code, data):
|
|
|
8f4e66 |
try:
|
|
|
8f4e66 |
--
|
|
|
8f4e66 |
1.9.3
|
|
|
8f4e66 |
|