IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 18:01:23 -06:00
Code Issues Packages Projects Releases Wiki Activity
6c5a7464b2
freeipa/ipaserver/dcerpc_common.py
Alexander Bokovoy a57f613314 trust: detect and error out when non-AD trust with IPA domain name exists 
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.

This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.

To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.

Fixes https://pagure.io/freeipa/issue/7264

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00

74 lines
2.3 KiB
Python
Raw Blame History

import six
from ipalib import _
if six.PY3:
unicode = six.text_type
# Both constants can be used as masks against trust direction
# because bi-directional has two lower bits set.
TRUST_ONEWAY = 1
TRUST_BIDIRECTIONAL = 3
# Trust join behavior
# External trust -- allow creating trust to a non-root domain in the forest
TRUST_JOIN_EXTERNAL = 1
# We don't want to import any of Samba Python code here just for constants
# Since these constants set in MS-ADTS, we can rely on their stability
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001
_trust_direction_dict = {
1: _('Trusting forest'),
2: _('Trusted forest'),
3: _('Two-way trust')
}
_trust_status_dict = {
True: _('Established and verified'),
False: _('Waiting for confirmation by remote side')
}
_trust_type_dict_unknown = _('Unknown')
# Trust type is a combination of ipanttrusttype and ipanttrustattributes
# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and
# 2+(1 << 3) becomes 10.
_trust_type_dict = {
1: _('Non-Active Directory domain'),
2: _('Active Directory domain'),
3: _('RFC4120-compliant Kerberos realm'),
10: _('Non-transitive external trust to a domain in '
'another Active Directory forest'),
11: _('Non-transitive external trust to an RFC4120-'
'compliant Kerberos realm')
}
def trust_type_string(level, attrs):
"""
Returns a string representing a type of the trust.
The original field is an enum:
LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001,
LSA_TRUST_TYPE_UPLEVEL = 0x00000002,
LSA_TRUST_TYPE_MIT = 0x00000003
"""
transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
string = _trust_type_dict.get(int(level) | (transitive << 3),
_trust_type_dict_unknown)
return unicode(string)
def trust_direction_string(level):
"""
Returns a string representing a direction of the trust.
The original field is a bitmask taking two bits in use
LSA_TRUST_DIRECTION_INBOUND = 0x00000001,
LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
"""
string = _trust_direction_dict.get(int(level), _trust_type_dict_unknown)
return unicode(string)
def trust_status_string(level):
string = _trust_status_dict.get(level, _trust_type_dict_unknown)
return unicode(string)
Reference in New Issue View Git Blame Copy Permalink