New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipaserver/dcerpc.py: handle indirect topology conflicts #2071
Conversation
Note that the original bug https://bugzilla.redhat.com/show_bug.cgi?id=1533803 has some unrelated misconfiguration issue which prevented tests to perform properly. However, its log actually showed this bug which I didn't notice originally due to that unrelated misconfiguration. |
ipaserver/dcerpc.py
Outdated
for e in dominfo.entries: | ||
e1 = lsa.ForestTrustRecord() | ||
e1.type = e.type | ||
e1.flags = e.flags | ||
e1.time = e.time | ||
e1.forest_trust_data = e.forest_trust_data | ||
try: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nitpicking) my humble suggestion to improve readability:
is_our_record = False # or even is_conflicting = False
# ...
for record in another_domain.ftinfo_records:
if record['rec_name'] == e.forest_trust_data.string:
is_our_record = True
break
if is_our_record:
# ...
When AD forest A has a trust with a forest B that claims ownership of a domain name (TLN) owned by an IPA forest, we need to build exclusion record for that specific TLN, not our domain name. Use realmdomains to find a correct exclusion entry to build. Fixes: https://pagure.io/freeipa/issue/7370
@netoarmando thanks, I've updated the code to follow your suggestion and added few more comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's much more readable. Thanks!
ipaserver/dcerpc.py
Outdated
in another_domain.ftinfo_records | ||
if (x['rec_name'] == | ||
e.forest_trust_data.string)) | ||
except StopIteration: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code block is hard to understand. After a couple of minutes, I'm still not sure that I got it right. Is it equivalent to this code?
for record in another_domain.ftinfo_records:
if x['rec_name'] == e.forest_trust_data.string:
our_record = record
e1.type = lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX
e1.flags = 0
e1.time = trust_timestamp
break
master:
|
When AD forest A has a trust with a forest B that claims ownership of a domain name (TLN) owned by an IPA forest, we need to build exclusion record for that specific TLN, not our domain name.
Use realmdomains to find a correct exclusion entry to build, not just using our own domain name.
Fixes: https://pagure.io/freeipa/issue/7370