trusts: Detect domain clash with IPA domain when adding a AD trust

When IPA is deployed in the same domain as AD, trust-add fails since the names of the local domain and trusted domain ranges is the same - it's always DOMAIN.NAME_id_range. When adding a trusted domain, we look for previous ranges for this domain (which may have been left behind by previous trust attempts). Since AD and IPA are in the same domain, we find a local domain range, which does not have a SID. Detect such domain collisions early and bail out with an appropriate error message. https://fedorahosted.org/freeipa/ticket/4549 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-06 10:54:47 +02:00 · 2015-08-06 10:54:47 +02:00 · 9ce074b36a
commit 9ce074b36a
parent 0dd95a19ee
1 changed files with 8 additions and 0 deletions
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@ -670,6 +670,14 @@ sides.
                error=_('only "ad" is supported')
            )

+        # Detect IPA-AD domain clash
+        if self.api.env.domain.lower() == trusted_realm_domain.lower():
+            raise errors.ValidationError(
+                name=_('domain'),
+                error=_('Cannot establish a trust to AD deployed in the same '
+                        'domain as IPA. Such setup is not supported.')
+                )
+
        # If domain name and realm does not match, IPA server is not be able
        # to establish trust with Active Directory.