freeipa/ipaserver
Alexander Bokovoy 9b3819ea94 trust: make sure external trust topology is correctly rendered
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.

Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.

Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.

https://fedorahosted.org/freeipa/ticket/6021

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:38:18 +02:00
..
advise ipa-advise: correct handling of plugin namespace iteration 2016-07-12 11:02:52 +02:00
install support schema files from third-party plugins 2016-08-19 15:34:26 +02:00
plugins trust: make sure external trust topology is correctly rendered 2016-08-22 13:38:18 +02:00
__init__.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
dcerpc.py trust: make sure external trust topology is correctly rendered 2016-08-22 13:38:18 +02:00
dns_data_management.py DNS Locations: cleanup of bininstance 2016-06-28 15:23:51 +02:00
rpcserver.py Added new authentication method 2016-08-17 16:55:49 +02:00
servroles.py Introduce "NTP server" role 2016-06-15 13:51:48 +02:00
session.py session: do not initialize session manager on import 2016-06-30 14:09:24 +02:00
topology.py Fix topologysuffix-verify failing connections 2016-06-24 13:32:02 +02:00