mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
6332cb3125
For configuration where: - AD example.com trusts IPA at ipa.example.com - AD example.org trusts AD example.com - a trust is tried to be established between ipa.example.com and example.org, there will be a trust topology conflict detected by example.org domain controller because ipa.example.com DNS namespace overlaps with example.com DNS namespace. This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2 "Building Well-Formed msDS-TrustForestTrustInfo Message". A similar conflict can arise for SID and NetBIOS namespaces. However, unlike SID and NetBIOS namespaces, we can solve DNS namespace conflict automatically if there are administrative credentials for example.org available. A manual sequence to solve the DNS namespace conflict is described in https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx. This sequence boils down to the following steps: 1. As an administrator of the example.org, you need to add an exclusion entry for ipa.example.com in the properties of the trust to example.com 2. Establish trust between ipa.example.com and example.org It is important to add the exclusion entry before step 4 or there will be conflict recorded which cannot be cleared easily right now due to a combination of bugs in both IPA and Active Directory. This patchset implements automated solution for the case when we have access to the example.org's administrator credentials: 1. Attempt to establish trust and update trust topology information. 2. If trust topology conflict is detected as result of (1): 2.1. Fetch trust topology infromation for the conflicting forest trust 2.2. Add exclusion entry to our domain to the trust topology obtained in (2.1) 2.3. Update trust topology for the conflicting forest trust 3. Re-establish trust between ipa.example.com and example.org We cannot do the same for shared secret trust and for external trust, though: 1. For shared secret trust we don't have administrative credentials in the forest reporting the conflict 2. For the external trust we cannot set topology information due to MS-LSAD 3.1.4.7.16 because external trust is non-transitive by definition and thus setting topology information will fail. To test this logic one can use two Samba AD forests with FreeIPA using a sub-domain of one of them. Fixes: https://fedorahosted.org/freeipa/ticket/6076 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> |
||
---|---|---|
.. | ||
__init__.py | ||
aci.py | ||
backend.py | ||
base.py | ||
capabilities.py | ||
certstore.py | ||
cli.py | ||
config.py | ||
constants.py | ||
crud.py | ||
dns.py | ||
errors.py | ||
frontend.py | ||
krb_utils.py | ||
Makefile | ||
messages.py | ||
output.py | ||
parameters.py | ||
pkcs10.py | ||
plugable.py | ||
request.py | ||
rpc.py | ||
setup.py.in | ||
text.py | ||
util.py | ||
x509.py |