freeipa/install/oddjob
Alexander Bokovoy 6c9fcccfbc trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.

The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.

trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.

Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.

Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-28 13:30:59 +02:00
..
etc Debian: auto-generate config files for oddjobd 2019-04-24 14:08:20 +02:00
com.redhat.idm.trust-fetch-domains.in trust-fetch-domains: make sure we use right KDC when --server is specified 2019-06-28 13:30:59 +02:00
Makefile.am Debian: auto-generate config files for oddjobd 2019-04-24 14:08:20 +02:00
org.freeipa.server.conncheck Do not log to file in remote conncheck side 2016-07-01 09:05:33 +02:00