[Freeipa-devel] [PATCH] 0150: make sure SID is always returned as unicode from dcerpc.py
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 12 17:13:32 UTC 2014
On Wed, 12 Mar 2014, Martin Kosek wrote:
>On 03/12/2014 04:56 PM, Alexander Bokovoy wrote:
>> Hi,
>>
>> Trusted domain SID could be obtained through different means. When it is
>> fetched from the AD DC via LDAP, it needs to be extracted from a default
>> context and explicitly converted to unicode.
>>
>> https://fedorahosted.org/freeipa/ticket/4246
>
>This only works for ADs without subdomains. When there are subdomains, AD does
>not allow us to retrieve them and command fails right after creating the truyst
>trust object:
>
># echo Secret123 | ipa trust-add tbad.example.com --trust-secretipa: ERROR: AD
>domain controller complains about communication sequence. It may mean
>unsynchronized time on both sides, for example
>
># ipa trust-fetch-domains tbad.example.com
>ipa: ERROR: AD domain controller complains about communication sequence. It may
>mean unsynchronized time on both sides, for example
>
>When I refreshed FreeIPA domains on AD said, it started working again:
>
># ipa trust-fetch-domains tbad.example.com
>--------------------------------------------
>List of trust domains successfully refreshed
>--------------------------------------------
> Realm name: child.tbad.example.com
> Domain NetBIOS name: CHILD
> Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
>----------------------------
>Number of entries returned 1
>----------------------------
Yep. We cannot run trust-fetch-domains at this point, neither we can
verify the trust as we don't have AD admin credentials.
Additional patch is attached to not run trust-fetch-domains
automatically in this case. Note documentation update request.
--
/ Alexander Bokovoy
-------------- next part --------------
>From 828219b886265920d631fc5026d17d7f2f853d66 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 12 Mar 2014 19:01:00 +0200
Subject: [PATCH 3/3] trust: do not fetch subdomains in case shared secret was
used to set up the trust
Until incoming trust is validated from AD side, we cannot run any operations
against AD using the trust. Also, Samba currently does not suport verifying
trust against the other party (returns WERR_NOT_SUPPORTED).
This needs to be added to the documentation:
When using 'ipa trust-add ad.domain --trust-secret', one has to manually
validate incoming trust using forest trust properties in AD Domains and
Trusts tool.
Once incoming trust is validated at AD side, use IPA command
'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
From this point on the trust should be usable.
https://fedorahosted.org/freeipa/ticket/4246
---
ipalib/plugins/trust.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index fe39568..f57cf7d 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -462,7 +462,8 @@ sides.
# for AD trusts, regardless of the type of idranges associated with it
# Note that fetch_domains_from_trust will add needed ranges for
# the algorithmic ID mapping case.
- if options.get('trust_type') == u'ad':
+ if (options.get('trust_type') == u'ad' and
+ options.get('trust_secret') is None):
domains = fetch_domains_from_trust(self, self.trustinstance,
result['result'], **options)
--
1.8.3.1
More information about the Freeipa-devel
mailing list