[Freeipa-devel] [PATCH] 0062 support various forms of user account when establishing trusts
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 16 13:14:10 UTC 2012
Hi,
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator at DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator at DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted
domains' accounts to establish trust as there is basically zero chance
to verify that things will work with them. In addition, in order to
establish trust one needs to belong to Enterprise Admins group in AD or
have specially delegated permissions. These permissions are unlikely
delegated to the ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
--
/ Alexander Bokovoy
-------------- next part --------------
>From 3365e3501a1cdd13d3741fc791c7843839a5a058 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 16 Jul 2012 13:12:42 +0300
Subject: [PATCH 4/4] Handle various forms of admin accounts when establishing
trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator at DOMAIN
This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
is then taken from a discovered record from the AD DC
- In Administrator at DOMAIN first DOMAIN is verified to be the same
as the domain we are establishing trust to, and then user name
is taken, together with short domain name taken from a discovered
record from the AD DC
Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.
https://fedorahosted.org/freeipa/ticket/2864
---
ipalib/plugins/trust.py | 8 ++++++++
ipaserver/dcerpc.py | 5 +++++
2 files changed, 13 insertions(+)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 2932835e038d99d9c48f1822e76fbc2e1570f92f..792e6cac2a2f9ebb61f84cc74d01be325995863e 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -180,6 +180,14 @@ class trust_add(LDAPCreate):
# generate random trustdom password to do work on both sides
if 'realm_admin' in options:
realm_admin = options['realm_admin']
+ names = realm_admin.split('@')
+ if len(names) > 1:
+ # realm admin name is in UPN format, user at realm, check that
+ # realm is the same as the one that we are attempting to trust
+ if keys[-1].lower() != names[-1].lower():
+ raise errors.ValidationError(name=_('AD Trust setup'),
+ error=_('Trusted domain and administrator account use different realms'))
+ realm_admin = names[0]
if 'realm_passwd' not in options:
raise errors.ValidationError(name=_('AD Trust setup'), error=_('Realm administrator password should be specified'))
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 07e40c2d35b41a2665232f3e6d853b47aef707bb..6b830f65b854b74fcf080b071212e7658f334adf 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -363,6 +363,11 @@ class TrustDomainJoins(object):
rd.read_only = True
if realm_admin and realm_passwd:
if 'name' in rd.info:
+ names = realm_admin.split('\\')
+ if len(names) > 1:
+ # realm admin is in DOMAIN\user format
+ # strip DOMAIN part as we'll enforce the one discovered
+ realm_admin = names[-1]
auth_string = u"%s\%s%%%s" % (rd.info['name'], realm_admin, realm_passwd)
td = get_instance(self)
td.creds.parse_string(auth_string)
--
1.7.10.4
More information about the Freeipa-devel
mailing list