#9551 filter out subdomains from realmdomains list when submitting to a trusted AD DCs
Closed: fixed 10 months ago by frenaud. Opened 10 months ago by abbra.

When get_realmdomains() method is called, it will filter out subdomains of the IPA primary domain. This is required because Active Directory domain controllers are assuming subdomains already covered by the main domain namespace.

MS-LSAD 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the method of validating the forest trust information. They are the same as rules in [MS-ADTS] section 6.1.6. Specifically,

  • A top-level name must not be superior to an enabled top-level name for another trusted domain object, unless the current trusted domain object has a corresponding exclusion record.

In practice, we filtered those subdomains already but the code wasn't invalidating a previously retrieved forest trust information.

This can be reproduced by adding few subdomains of the IPA domain manually to realmdomains list and then attempting to establish trust with an AD forest:

# ipa realmdomains-mod --add-domain foo.ipa2.test --force
ipa: WARNING: The _kerberos TXT record from domain foo.ipa2.test could not be created (foo.ipa2.test.: DNS zone not found).
This can happen if the zone is not managed by IPA. Please create the record manually, containing the following value: 'IPA2.TEST'
  Domain: ipa2.test, foo.ipa2.test
# ipa realmdomains-mod --add-domain bar.ipa2.test --force
ipa: WARNING: The _kerberos TXT record from domain bar.ipa2.test could not be created (bar.ipa2.test.: DNS zone not found).
This can happen if the zone is not managed by IPA. Please create the record manually, containing the following value: 'IPA2.TEST'
  Domain: ipa2.test, foo.ipa2.test, bar.ipa2.test
# ipa trust-add win2022-mfpp.test --password
Active Directory domain administrator's password: 
Active Directory domain administrator: Administrator@WIN2022-MFPP.TEST
ipa: ERROR: an internal error has occurred

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-28559

10 months ago

master:

  • f9a1d74 dcerpc: invalidate forest trust info cache when filtering out realm domains

ipa-4-11:

  • e95201f dcerpc: invalidate forest trust info cache when filtering out realm domains

ipa-4-10:

  • fc736aa dcerpc: invalidate forest trust info cache when filtering out realm domains

ipa-4-9:

  • 656a11a dcerpc: invalidate forest trust info cache when filtering out realm domains

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Metadata Update from @abbra:
- Custom field changelog adjusted to When trust to Active Directory is established, trust topology communicated to the trusted Active Directory domain controllers may have contained conflicting information. This information is now refreshed and conflicts are removed as a part of the process to establish trust.

8 months ago

Log in to comment on this ticket.

Metadata