[Freeipa-devel] [PATCH] 0150: make sure SID is always returned as unicode from dcerpc.py

[Martin Kosek]

On 03/12/2014 06:13 PM, Alexander Bokovoy wrote:
> On Wed, 12 Mar 2014, Martin Kosek wrote:
>> On 03/12/2014 04:56 PM, Alexander Bokovoy wrote:
>>> Hi,
>>>
>>> Trusted domain SID could be obtained through different means. When it is
>>> fetched from the AD DC via LDAP, it needs to be extracted from a default
>>> context and explicitly converted to unicode.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4246
>>
>> This only works for ADs without subdomains. When there are subdomains, AD does
>> not allow us to retrieve them and command fails right after creating the truyst
>> trust object:
>>
>> # echo Secret123 | ipa trust-add tbad.example.com --trust-secretipa: ERROR: AD
>> domain controller complains about communication sequence. It may mean
>> unsynchronized time on both sides, for example
>>
>> # ipa trust-fetch-domains tbad.example.com
>> ipa: ERROR: AD domain controller complains about communication sequence. It may
>> mean unsynchronized time on both sides, for example
>>
>> When I refreshed FreeIPA domains on AD said, it started working again:
>>
>> # ipa trust-fetch-domains tbad.example.com
>> --------------------------------------------
>> List of trust domains successfully refreshed
>> --------------------------------------------
>>  Realm name: child.tbad.example.com
>>  Domain NetBIOS name: CHILD
>>  Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
> Yep. We cannot run trust-fetch-domains at this point, neither we can
> verify the trust as we don't have AD admin credentials.
> 
> Additional patch is attached to not run trust-fetch-domains
> automatically in this case. Note documentation update request.

Works as a charm, ACK.

Pushed both patches to:
master: 34d644ebdf9f887441ef82d71b4f101206d897a8
ipa-3-3: a9fab2fc26be33e7296578961e61f2faec4f9061

Martin