freeipa

Clone
Source Code
GIT

6c9fccc trust-fetch-domains: make sure we use right KDC when --server is specified

2 files Authored by abbra 4 years ago, Committed by frenaud 4 years ago,
raw patch tree parent
2 files changed. 194 lines added. 67 lines removed.
install/oddjob/com.redhat.idm.trust-fetch-domains.in
file modified
+175 -58
ipaserver/plugins/trust.py
file modified
+19 -9 
    trust-fetch-domains: make sure we use right KDC when --server is specified
    
    Since we are authenticating against AD DC before talking to it (by using
    trusted domain object's credentials), we need to override krb5.conf
    configuration in case --server option is specified.
    
    The context is a helper which is launched out of process with the help
    of oddjobd. The helper takes existing trusted domain object, uses its
    credentials to authenticate and then runs LSA RPC calls against that
    trusted domain's domain controller. Previous code directed Samba
    bindings to use the correct domain controller. However, if a DC visible
    to MIT Kerberos is not reachable, we would not be able to obtain TGT and
    the whole process will fail.
    
    trust_add.execute() was calling out to the D-Bus helper without passing
    the options (e.g. --server) so there was no chance to get that option
    visible by the oddjob helper.
    
    Also we need to make errors in the oddjob helper more visible to
    error_log. Thus, move error reporting for a normal communication up from
    the exception catching.
    
    Resolves: https://pagure.io/freeipa/issue/7895
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Sergey Orlov <sorlov@redhat.com>
file modified
+175 -58
file modified
+19 -9
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.