adtrust: filter out subdomains when defining our topology to AD

When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.

This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.

Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.

Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.

Fixes https://pagure.io/freeipa/issue/6666

Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Alexander Bokovoy 2017-10-19 13:21:05 +03:00
parent 0071744929
commit 443ecbc29e

View File

@ -47,6 +47,7 @@ import samba
import ldap as _ldap
from ipapython import ipaldap
from ipapython.dnsutil import DNSName
from dns import resolver, rdatatype
from dns.exception import DNSException
import pysss_nss_idmap
@ -1601,7 +1602,22 @@ class TrustDomainJoins(object):
entry.single_value.get('modifytimestamp').timetuple()
)*1e7+116444736000000000)
forest = DNSName(self.local_domain.info['dns_forest'])
# tforest is IPA forest. keep the line below for future checks
# tforest = DNSName(self.remote_domain.info['dns_forest'])
for dom in realm_domains['associateddomain']:
d = DNSName(dom)
# We should skip all DNS subdomains of our forest
# because we are going to add *.<forest> TLN anyway
if forest.is_superdomain(d) and forest != d:
continue
# We also should skip single label TLDs as they
# cannot be added as TLNs
if len(d.labels) == 1:
continue
ftinfo = dict()
ftinfo['rec_name'] = dom
ftinfo['rec_time'] = trust_timestamp