9b3819e trust: make sure external trust topology is correctly rendered

2 files Authored by abbra 3 years ago , Committed by mbabinsk 3 years ago ,
    trust: make sure external trust topology is correctly rendered
    
    When external trust is established, it is by definition is
    non-transitive: it is not possible to obtain Kerberos tickets to any
    service outside the trusted domain.
    
    Reflect this reality by only accepting UPN suffixes from the external
    trust -- since the trusted domain is a part of another forest and UPN
    suffixes are forest-wide, there could be user accounts in the trusted
    domain that use forest-wide UPN suffix but it will be impossible to
    reach the forest root via the externally trusted domain.
    
    Also, an argument to netr_DsRGetForestTrustInformation() has to be
    either forest root domain name or None (NULL). Otherwise we'll get
    an error as explained in MS-NRPC 3.5.4.7.5.
    
    https://fedorahosted.org/freeipa/ticket/6021
    
    Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
    
        
file modified
+1 -1
file modified
+17 -11