martbab's pull request #79: "trust-fetch-domains: contact forest DCs when fetching trust domain info" was opened
PR body: """ The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 """ See the full pull-request at https://github.com/freeipa/freeipa/pull/79 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/79/head:pr79 git checkout pr79
From f284042564c1ca6f6d52690d5c734f1ee0d92e6d Mon Sep 17 00:00:00 2001 From: Martin Babinsky <mbabi...@redhat.com> Date: Tue, 13 Sep 2016 15:59:40 +0200 Subject: [PATCH] trust-fetch-domains: contact forest DCs when fetching trust domain info The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 --- ipaserver/plugins/trust.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 8f8f987..6e6f6c5 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1739,15 +1739,20 @@ def execute(self, *keys, **options): ldap = self.api.Backend.ldap2 verify_samba_component_presence(ldap, self.api) - trust = self.api.Command.trust_show(keys[0], raw=True)['result'] + trust = self.api.Command.trust_show( + keys[0], all=True, raw=True)['result'] result = dict() result['result'] = [] result['count'] = 0 result['truncated'] = False - # For one-way trust fetch over DBus. we don't get the list in this case. - if int(trust['ipanttrustdirection'][0]) != TRUST_BIDIRECTIONAL: + trust_direction = int(trust['ipanttrustdirection'][0]) + is_nontransitive = int(trust.get('ipanttrustattributes', + [0])[0]) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE + # For one-way trust and external trust fetch over DBus. + # We don't get the list in this case. + if trust_direction != TRUST_BIDIRECTIONAL or is_nontransitive: fetch_trusted_domains_over_dbus(self.api, self.log, keys[0]) result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.')) return result @@ -1762,6 +1767,9 @@ def execute(self, *keys, **options): 'on the IPA server first' ) ) + + trustinstance.populate_remote_domain(keys[0]) + res = fetch_domains_from_trust(self.api, trustinstance, **options) domains = add_new_domains_from_trust(self.api, trustinstance, trust, res, **options)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
