mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 09:11:55 -06:00
a57f613314
Quite often users choose wrong type of trust on Active Directory side when setting up a trust to freeIPA. The trust type supported by freeIPA is just a normal forest trust to another Active Directory. However, some people follow old internet recipes that force using a trust to MIT Kerberos realm. This is a wrong type of trust. Unfortunately, when someone used MIT Kerberos realm trust, there is no way to programmatically remote the trust from freeIPA side. As result, we have to detect such situation and report an error. To do proper reporting, we need reuse some constants and trust type names we use in IPA CLI/Web UI. These common components were moved to a separate ipaserver/dcerpc_common.py module that is imported by both ipaserver/plugins/trust.py and ipaserver/dcerpc.py. Fixes https://pagure.io/freeipa/issue/7264 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
74 lines
2.3 KiB
Python
74 lines
2.3 KiB
Python
import six
|
|
from ipalib import _
|
|
if six.PY3:
|
|
unicode = six.text_type
|
|
|
|
# Both constants can be used as masks against trust direction
|
|
# because bi-directional has two lower bits set.
|
|
TRUST_ONEWAY = 1
|
|
TRUST_BIDIRECTIONAL = 3
|
|
|
|
# Trust join behavior
|
|
# External trust -- allow creating trust to a non-root domain in the forest
|
|
TRUST_JOIN_EXTERNAL = 1
|
|
|
|
# We don't want to import any of Samba Python code here just for constants
|
|
# Since these constants set in MS-ADTS, we can rely on their stability
|
|
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001
|
|
|
|
_trust_direction_dict = {
|
|
1: _('Trusting forest'),
|
|
2: _('Trusted forest'),
|
|
3: _('Two-way trust')
|
|
}
|
|
|
|
_trust_status_dict = {
|
|
True: _('Established and verified'),
|
|
False: _('Waiting for confirmation by remote side')
|
|
}
|
|
|
|
_trust_type_dict_unknown = _('Unknown')
|
|
|
|
# Trust type is a combination of ipanttrusttype and ipanttrustattributes
|
|
# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and
|
|
# 2+(1 << 3) becomes 10.
|
|
_trust_type_dict = {
|
|
1: _('Non-Active Directory domain'),
|
|
2: _('Active Directory domain'),
|
|
3: _('RFC4120-compliant Kerberos realm'),
|
|
10: _('Non-transitive external trust to a domain in '
|
|
'another Active Directory forest'),
|
|
11: _('Non-transitive external trust to an RFC4120-'
|
|
'compliant Kerberos realm')
|
|
}
|
|
|
|
|
|
def trust_type_string(level, attrs):
|
|
"""
|
|
Returns a string representing a type of the trust.
|
|
The original field is an enum:
|
|
LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001,
|
|
LSA_TRUST_TYPE_UPLEVEL = 0x00000002,
|
|
LSA_TRUST_TYPE_MIT = 0x00000003
|
|
"""
|
|
transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
|
|
string = _trust_type_dict.get(int(level) | (transitive << 3),
|
|
_trust_type_dict_unknown)
|
|
return unicode(string)
|
|
|
|
|
|
def trust_direction_string(level):
|
|
"""
|
|
Returns a string representing a direction of the trust.
|
|
The original field is a bitmask taking two bits in use
|
|
LSA_TRUST_DIRECTION_INBOUND = 0x00000001,
|
|
LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
|
|
"""
|
|
string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown)
|
|
return unicode(string)
|
|
|
|
|
|
def trust_status_string(level):
|
|
string = _trust_status_dict.get(level, _trust_type_dict_unknown)
|
|
return unicode(string)
|