[Freeipa-devel] [PATCH] 0144: trust: make sure we always discover topology of the forest trust

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 27 12:43:12 UTC 2014 

On Thu, 27 Feb 2014, Martin Kosek wrote:
>On 02/27/2014 12:48 PM, Alexander Bokovoy wrote:
>> Thanks to Martin for noticing we had been fetching information about
>> subdomains only in case there is algorithmic ID mapping in use. Instead,
>> we should always fetch the subdomains but create new ranges only for
>> algorithmic case.
>>
>> https://fedorahosted.org/freeipa/ticket/4205
>>
>
>This works fine for the trustdomain part. However, we still create too many ID
>ranges:
>
>
># ipa idrange-find
>----------------
>3 ranges matched
>----------------
>  Range name: CHILD.TBAD.EXAMPLE.COM_id_range
>  First Posix ID of the range: 161000000
>  Number of IDs in the range: 200000
>  First RID of the corresponding RID range: 0
>  Domain SID of the trusted domain: S-1-5-21-972585150-1048339146-1910910075
>  Range type: Active Directory domain range
>
>  Range name: IDM.LAB.BOS.REDHAT.COM_id_range
>  First Posix ID of the range: 1258600000
>  Number of IDs in the range: 200000
>  First RID of the corresponding RID range: 1000
>  First RID of the secondary RID range: 100000000
>  Range type: local domain range
>
>  Range name: TBAD.EXAMPLE.COM_id_range
>  First Posix ID of the range: 10000
>  Number of IDs in the range: 200000
>  First RID of the corresponding RID range: 0
>  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
>  Range type: Active Directory trust range with POSIX attributes
>----------------------------
>Number of entries returned 3
>----------------------------
>
>CHILD.TBAD.EXAMPLE.COM_id_range should not be here given this is a POSIX trust.

Yes. We tracked this down to a wrong code in fetch_domains_from_trust()
where instead of a final value we took a list that contained the value
and compared it for inequality with a unicode value. Of course, the
comparison always evaluated to true (list is not a unicode object).

New patch is attached. It removes duplicated code from the trust-add as
the same action (adding idranges for subdomains) is done in
fetch_domains_from_trust().


-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 538812b7efa90556a6ccbc72fabeddeaca51c27d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 27 Feb 2014 13:43:17 +0200
Subject: [PATCH 8/8] trust: make sure we always discover topology of the
 forest trust

Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.

https://fedorahosted.org/freeipa/ticket/4205
---
 ipalib/plugins/trust.py | 37 ++++++-------------------------------
 1 file changed, 6 insertions(+), 31 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index bd71253..f2b00a6 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -458,38 +458,13 @@ sides.
 
         result['result'] = entry_to_dict(trusts[0][1], **options)
 
-        # For AD trusts with algorithmic mapping, we need to add a separate
-        # range for each subdomain.
-        if (options.get('trust_type') == u'ad' and
-            created_range_type != u'ipa-ad-trust-posix'):
-
+        # Fetch topology of the trust forest -- we need always to do it
+        # for AD trusts, regardless of the type of idranges associated with it
+        # Note that fetch_domains_from_trust will add needed ranges for
+        # the algorithmic ID mapping case.
+        if options.get('trust_type') == u'ad':
             domains = fetch_domains_from_trust(self, self.trustinstance,
                                                result['result'], **options)
-            if domains and len(domains) > 0:
-                for dom in domains:
-                    range_name = dom['cn'][0].upper() + '_id_range'
-                    dom_sid = dom['ipanttrusteddomainsid'][0]
-
-                    # Enforce the same range type as the range for the root
-                    # level domain.
-
-                    # This will skip the detection of the POSIX attributes if
-                    # they are not available, since it has been already
-                    # detected when creating the range for the root level domain
-                    passed_options = options
-                    passed_options.update(range_type=created_range_type)
-
-                    # Do not pass the base id to the subdomains since it would
-                    # clash with the root level domain
-                    if 'base_id' in passed_options:
-                        del passed_options['base_id']
-
-                    # Try to add the range for each subdomain
-                    try:
-                        add_range(self, range_name, dom_sid, *keys,
-                                  **passed_options)
-                    except errors.DuplicateEntry:
-                        pass
 
         # Format the output into human-readable values
         result['result']['trusttype'] = [trust_type_string(
@@ -1270,7 +1245,7 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
     # trust range must exist by the time fetch_domains_from_trust is called
     range_name = trust_name.upper() + '_id_range'
     old_range = api.Command.idrange_show(range_name, raw=True)['result']
-    idrange_type = old_range['iparangetype']
+    idrange_type = old_range['iparangetype'][0]
 
     for dom in domains:
         dom['trust_type'] = u'ad'
-- 
1.8.3.1

More information about the Freeipa-devel mailing list