When get_realmdomains() method is called, it will filter out subdomains of the IPA primary domain. This is required because Active Directory domain controllers are assuming subdomains already covered by the main domain namespace.
MS-LSAD 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the method of validating the forest trust information. They are the same as rules in [MS-ADTS] section 6.1.6. Specifically,
In practice, we filtered those subdomains already but the code wasn't invalidating a previously retrieved forest trust information.
This can be reproduced by adding few subdomains of the IPA domain manually to realmdomains list and then attempting to establish trust with an AD forest:
# ipa realmdomains-mod --add-domain foo.ipa2.test --force ipa: WARNING: The _kerberos TXT record from domain foo.ipa2.test could not be created (foo.ipa2.test.: DNS zone not found). This can happen if the zone is not managed by IPA. Please create the record manually, containing the following value: 'IPA2.TEST' Domain: ipa2.test, foo.ipa2.test # ipa realmdomains-mod --add-domain bar.ipa2.test --force ipa: WARNING: The _kerberos TXT record from domain bar.ipa2.test could not be created (bar.ipa2.test.: DNS zone not found). This can happen if the zone is not managed by IPA. Please create the record manually, containing the following value: 'IPA2.TEST' Domain: ipa2.test, foo.ipa2.test, bar.ipa2.test # ipa trust-add win2022-mfpp.test --password Active Directory domain administrator's password: Active Directory domain administrator: Administrator@WIN2022-MFPP.TEST ipa: ERROR: an internal error has occurred
PR: https://github.com/freeipa/freeipa/pull/7265
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-28559
master:
ipa-4-11:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to When trust to Active Directory is established, trust topology communicated to the trusted Active Directory domain controllers may have contained conflicting information. This information is now refreshed and conflicts are removed as a part of the process to establish trust.
Log in to comment on this ticket.