In trust.py, the method trust.get_dn() is setting a wrong filter. The resulting filter in my case looked like this:
(&(|(objectclass=ipaNTTrustedDomain)(cn=WIN.EXAMPLE.COM))(ipaNTSIDBlacklistIncoming=*))
I think the filter should be AND-ed, nor OR-ed, otherwise any object that is ipaNTTrustedDomain and has ipaNTSIDBlacklistIncoming.
a proposed patch 0001-trusts-combine-filters-with-AND-to-make-sure-only-th.patch
The attached patch made the trust command work for me. I was also experimenting with combining all parameters to make_filter, but that was escaping the asterisk for me.
Committed to master and ipa-3-3.
master: c088c94
ipa-3-3: 0daf11c
This fixed a potential regresion, no RHBZ attached.
Metadata Update from @jhrozek: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)
Login to comment on this ticket.