[Freeipa-devel] [PATCH] 0196 trusts: format Kerberos principal properly when fetching trust topology

Alexander Bokovoy abokovoy at redhat.com
Thu Aug 20 12:21:02 UTC 2015 

Hi,

one more fix for the problem with trusts that Scott Poore found when
verifying fixes to bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190

Details are in the commit message.

-- 
/ Alexander Bokovoy
-------------- next part --------------
From da76899a44af925223816d6e6b03336b457d8e2c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 20 Aug 2015 15:12:42 +0300
Subject: [PATCH 2/2] trusts: format Kerberos principal properly when fetching
 trust topology

For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master at IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.

For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.

Part of trust refactoring series.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Fixes: https://fedorahosted.org/freeipa/ticket/5182
---
 ipalib/plugins/trust.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5d04a2a..4e4e0b1 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1487,7 +1487,12 @@ class trustdomain_del(LDAPDelete):
 
 def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options):
     trust_name = trust_entry['cn'][0]
-    creds = generate_creds(trustinstance, style=CRED_STYLE_SAMBA, **options)
+    # We want to use Kerberos if we have admin credentials even with SMB calls
+    # as eventually use of NTLMSSP will be deprecated for trusted domain operations
+    # If admin credentials are missing, 'creds' will be None and fetch_domains
+    # will use HTTP/ipa.master at IPA.REALM principal, e.g. Kerberos authentication
+    # as well.
+    creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
     server = options.get('realm_server', None)
     domains = ipaserver.dcerpc.fetch_domains(myapi,
                                              trustinstance.local_flatname,
-- 
2.4.3

More information about the Freeipa-devel mailing list