mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
6c9fcccfbc
Since we are authenticating against AD DC before talking to it (by using trusted domain object's credentials), we need to override krb5.conf configuration in case --server option is specified. The context is a helper which is launched out of process with the help of oddjobd. The helper takes existing trusted domain object, uses its credentials to authenticate and then runs LSA RPC calls against that trusted domain's domain controller. Previous code directed Samba bindings to use the correct domain controller. However, if a DC visible to MIT Kerberos is not reachable, we would not be able to obtain TGT and the whole process will fail. trust_add.execute() was calling out to the D-Bus helper without passing the options (e.g. --server) so there was no chance to get that option visible by the oddjob helper. Also we need to make errors in the oddjob helper more visible to error_log. Thus, move error reporting for a normal communication up from the exception catching. Resolves: https://pagure.io/freeipa/issue/7895 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com> |
||
---|---|---|
.. | ||
etc | ||
com.redhat.idm.trust-fetch-domains.in | ||
Makefile.am | ||
org.freeipa.server.conncheck |