freeipa

Clone
Source Code
GIT

c34c1da trust: detect and error out when non-AD trust with IPA domain name exists

Authored and Committed by abbra 6 years ago
raw patch tree parent
3 files changed. 113 lines added. 62 lines removed.
ipaserver/dcerpc.py
file modified
+25 -12
ipaserver/dcerpc_common.py
file added
+73
ipaserver/plugins/trust.py
file modified
+15 -50 
    trust: detect and error out when non-AD trust with IPA domain name exists
    
    Quite often users choose wrong type of trust on Active Directory side
    when setting up a trust to freeIPA. The trust type supported by freeIPA
    is just a normal forest trust to another Active Directory. However,
    some people follow old internet recipes that force using a trust to MIT
    Kerberos realm.
    
    This is a wrong type of trust. Unfortunately, when someone used MIT
    Kerberos realm trust, there is no way to programmatically remote the
    trust from freeIPA side. As result, we have to detect such situation and
    report an error.
    
    To do proper reporting, we need reuse some constants and trust type
    names we use in IPA CLI/Web UI. These common components were moved to
    a separate ipaserver/dcerpc_common.py module that is imported by both
    ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
    
    Fixes https://pagure.io/freeipa/issue/7264
    
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
file modified
+25 -12
file added
+73
file modified
+15 -50
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.