#4463 Improve handling of forest trust domains when establishing a cross-forest trust
Closed: Fixed None Opened 9 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1125317

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

...
Description of problem:
When fetching trusted domains with:
ipa trustdomain-find <domain>
...not all trusted domains are returned due to
NETR_TRUST_ATTRIBUTE_WITHIN_FOREST and NETR_TRUST_FLAG_IN_FOREST failing the
filter.



Version-Release number of selected component (if applicable):
ipa-3.3.3-28

How reproducible:
always

Steps to Reproduce:
1. # ipa trust-add --type ad EXAMPLE.COM --trust-secret
2. # trustdomain-find example.com


Actual results:
# ipa trustdomain-find example.com
  Domain name: example.com
  Domain NetBIOS name: EXAMPLE
  Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz
  Domain enabled: True

  Domain name: another.com
  Domain NetBIOS name: ANOTHER
  Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Expected results:
# ipa trust-fetch-domains example.com
--------------------------------------------
List of trust domains successfully refreshed
--------------------------------------------
  Realm name: CORP.EXAMPLE.COM
  Domain NetBIOS name: CORP
  Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz

  Realm name: a.example.com
  Domain NetBIOS name: A
  Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz

  Realm name: b.example.com
  Domain NetBIOS name: B
  Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz
----------------------------
Number of entries returned 3
----------------------------


Additional info:
I've attached a log showing what occurs when only the 2 domains are found.

Workaround suggested by Alexander Bokovoy returned the expected result:

As an experiment, you can try to hack on
ipaserver/dcerpc.py:fetch_domains() in the

    result = []
    for t in domains.array:
        if ((t.trust_attributes &
trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and
            (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
            res = dict()
            res['cn'] = unicode(t.dns_name)
            res['ipantflatname'] = unicode(t.netbios_name)
            res['ipanttrusteddomainsid'] = unicode(t.sid)
            res['ipanttrustpartner'] = res['cn']
            result.append(res)
    return result

by removing check for (t.trust_attributes &
trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'])
and adding
  (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY')).

It would look like:

 if (not (t.trust_glags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and
     (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):

This would give you all domains that 'are in the forest' except the
primary one (which we don't need as we already have it). Restart httpd
after the hack and run 'ipa trust-fetch-domains <forest.root>'.

As this is a AD trust stabilization fix which is now ready, I think it should also be part of 4.0.2.

master:

  • 1fd3a23 ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
  • d16b471 ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
  • 90227f8 ipaserver/dcerpc.py: Make sure trust is established only to forest root domain

ipa-4-1:

  • 4f17f64 ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
  • e8a28b0 ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
  • d54d7ad ipaserver/dcerpc.py: Make sure trust is established only to forest root domain

ipa-4-0:

  • 4bf0aa8 ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
  • c0b438e ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
  • 5383f28 ipaserver/dcerpc.py: Make sure trust is established only to forest root domain

ipa-3-3:

  • 4bf0aa8 ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
  • 48eba53 ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
  • ad818fc ipaserver/dcerpc.py: Make sure trust is established only to forest root domain

Metadata Update from @mkosek:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.0.2

7 years ago

Login to comment on this ticket.

Metadata