diff options
| author | Alexander Bokovoy <[email protected]> | 2014-08-19 16:24:27 +0300 |
|---|---|---|
| committer | Martin Kosek <[email protected]> | 2014-09-01 08:42:52 +0200 |
| commit | d54d7ad1de4b9f7e29b9afc9438dfe5533cfa044 (patch) | |
| tree | e105d414f685a88b33a5fef08983516568749451 | |
| parent | e8a28b06f00b151ba997293fc1f700d0eb673b14 (diff) | |
| download | freeipa-d54d7ad1de4b9f7e29b9afc9438dfe5533cfa044.tar.gz freeipa-d54d7ad1de4b9f7e29b9afc9438dfe5533cfa044.tar.xz freeipa-d54d7ad1de4b9f7e29b9afc9438dfe5533cfa044.zip | |
ipaserver/dcerpc.py: Make sure trust is established only to forest root domain
Part of https://fedorahosted.org/freeipa/ticket/4463
Reviewed-By: Sumit Bose <[email protected]>
| -rw-r--r-- | ipalib/errors.py | 16 | ||||
| -rw-r--r-- | ipaserver/dcerpc.py | 6 |
2 files changed, 22 insertions, 0 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index 14e052990..f0426583d 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -817,6 +817,22 @@ class DeprecationError(InvocationError): errno = 3015 format = _("Command '%(name)s' has been deprecated") +class NotAForestRootError(InvocationError): + """ + **3016** Raised when an attempt to establish trust is done against non-root domain + Forest root domain has the same name as the forest itself + + For example: + + >>> raise NotAForestRootError(forest='example.test', domain='jointops.test') + Traceback (most recent call last): + ... + NotAForestRootError: Domain 'jointops.test' is not a root domain for forest 'example.test' + """ + + errno = 3016 + format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'") + ############################################################################## # 4000 - 4999: Execution errors diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 51b314f94..3944b19e0 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1151,6 +1151,9 @@ class TrustDomainJoins(object): realm_passwd ) + if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() @@ -1167,5 +1170,8 @@ class TrustDomainJoins(object): if not(isinstance(self.remote_domain, TrustDomainInstance)): self.populate_remote_domain(realm, realm_server, realm_passwd=None) + if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) return dict(local=self.local_domain, remote=self.remote_domain, verified=False) |