trusts: Check for AD root domain among our trusted domains

Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-07-15 14:22:48 +02:00
parent 82aaa1e6d0
commit 45958d6219
1 changed files with 20 additions and 1 deletions
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
                           self.params['realm_passwd'].label, confirm=False)

    def validate_options(self, *keys, **options):
+        trusted_realm_domain = keys[-1]
+
        if not _bindings_installed:
            raise errors.NotFound(
                name=_('AD Trust setup'),
@@ -692,6 +694,23 @@ sides.
                )
            )

+        # Obtain a list of IPA realm domains
+        result = self.api.Command.realmdomains_show()['result']
+        realm_domains = result['associateddomain']
+
+        # Do not allow the AD's trusted realm domain in the list
+        # of our realm domains
+        if trusted_realm_domain.lower() in realm_domains:
+            raise errors.ValidationError(
+                name=_('AD Trust setup'),
+                error=_(
+                    'Trusted domain %(domain)s is included among '
+                    'IPA realm domains. It needs to be removed '
+                    'prior to establishing the trust. See the '
+                    '"ipa realmdomains-mod --del-domain" command.'
+                ) % dict(domain=trusted_realm_domain)
+            )
+
        self.realm_server = options.get('realm_server')
        self.realm_admin = options.get('realm_admin')
        self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +721,7 @@ sides.
            if len(names) > 1:
                # realm admin name is in UPN format, user@realm, check that
                # realm is the same as the one that we are attempting to trust
-                if keys[-1].lower() != names[-1].lower():
+                if trusted_realm_domain.lower() != names[-1].lower():
                    raise errors.ValidationError(
                        name=_('AD Trust setup'),
                        error=_(