Realm domain list can contain a rogue domain - a domain controlled by AD. Trust won't work in that case. It can happen if a host which belongs to AD domain is added to IPA server, see #4798
IPA server should perform a check whether it contains such domain before establishing trust.
This check is limited for the case where trust is establish using shared secret because ipa lacks credentials to ask AD for list of its domains. Thus the only thing known, which should be checked, is the forest root DNS domain.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1170770 (Red Hat Enterprise Linux 7)
Should be done together with #4798.
This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.