From e13a5ed26e96436d4a7ebb2329f7f9666581008d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Aug 24 2015 10:29:33 +0000 Subject: trusts: format Kerberos principal properly when fetching trust topology For bidirectional trust if we have AD administrator credentials, we should be using them with Kerberos authentication. If we don't have AD administrator credentials, we should be using HTTP/ipa.master@IPA.REALM credentials. This means we should ask formatting 'creds' object in Kerberos style. For one-way trust we'll be fetching trust topology as TDO object, authenticating with pre-created Kerberos credentials cache, so in all cases we do use Kerberos authentication to talk to Active Directory domain controllers over cross-forest trust link. Part of trust refactoring series. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190 Fixes: https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Tomas Babej --- diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5d04a2a..4e4e0b1 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1487,7 +1487,12 @@ class trustdomain_del(LDAPDelete): def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] - creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options) + # We want to use Kerberos if we have admin credentials even with SMB calls + # as eventually use of NTLMSSP will be deprecated for trusted domain operations + # If admin credentials are missing, 'creds' will be None and fetch_domains + # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication + # as well. + creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options) server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname,