adtrust upgrade: fix wrong primary principal name

Upgrade code had Kerberos principal names mixed up: instead of creating krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked krbtgt/LOCAL-FLAT@REMOTE as an alias. This differs from what Active Directory expects and what is created by ipasam plugin when trust is established. When upgrading such deployment, an upgrade code then unexpectedly failed. Resolves: https://pagure.io/freeipa/issue/7992 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-06-25 15:22:57 +03:00
parent 0294ad2133
commit 34bfffd1be
3 changed files with 18 additions and 14 deletions
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -679,12 +679,12 @@ class update_tdo_to_new_layout(Updater):
                    trust_principal, t_realm)
                continue

-            # 4. Create <OUR FLATNAME$>@<REMOTE REALM>, disabled
+            # 4. Create krbtgt/<OUR FLATNAME>@<REMOTE REALM>, disabled
            nbt_principal = self.nbt_principal_template.format(
                nbt=our_nbt_name, realm=t_realm)
            tgt_principal = self.tgt_principal_template.format(
                remote=our_nbt_name, local=t_realm)
-            self.set_krb_principal([nbt_principal, tgt_principal],
+            self.set_krb_principal([tgt_principal, nbt_principal],
                                   passwd_incoming,
                                   t_dn,
                                   flags=self.KRB_PRINC_CREATE_DEFAULT |