[Freeipa-devel] [PATCH] 0144: trust: make sure we always discover topology of the forest trust
Martin Kosek
mkosek at redhat.com
Thu Feb 27 13:13:17 UTC 2014
On 02/27/2014 01:43 PM, Alexander Bokovoy wrote:
> On Thu, 27 Feb 2014, Martin Kosek wrote:
>> On 02/27/2014 12:48 PM, Alexander Bokovoy wrote:
>>> Thanks to Martin for noticing we had been fetching information about
>>> subdomains only in case there is algorithmic ID mapping in use. Instead,
>>> we should always fetch the subdomains but create new ranges only for
>>> algorithmic case.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4205
>>>
>>
>> This works fine for the trustdomain part. However, we still create too many ID
>> ranges:
>>
>>
>> # ipa idrange-find
>> ----------------
>> 3 ranges matched
>> ----------------
>> Range name: CHILD.TBAD.EXAMPLE.COM_id_range
>> First Posix ID of the range: 161000000
>> Number of IDs in the range: 200000
>> First RID of the corresponding RID range: 0
>> Domain SID of the trusted domain: S-1-5-21-972585150-1048339146-1910910075
>> Range type: Active Directory domain range
>>
>> Range name: IDM.LAB.BOS.REDHAT.COM_id_range
>> First Posix ID of the range: 1258600000
>> Number of IDs in the range: 200000
>> First RID of the corresponding RID range: 1000
>> First RID of the secondary RID range: 100000000
>> Range type: local domain range
>>
>> Range name: TBAD.EXAMPLE.COM_id_range
>> First Posix ID of the range: 10000
>> Number of IDs in the range: 200000
>> First RID of the corresponding RID range: 0
>> Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
>> Range type: Active Directory trust range with POSIX attributes
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>> CHILD.TBAD.EXAMPLE.COM_id_range should not be here given this is a POSIX trust.
>
> Yes. We tracked this down to a wrong code in fetch_domains_from_trust()
> where instead of a final value we took a list that contained the value
> and compared it for inequality with a unicode value. Of course, the
> comparison always evaluated to true (list is not a unicode object).
>
> New patch is attached. It removes duplicated code from the trust-add as
> the same action (adding idranges for subdomains) is done in
> fetch_domains_from_trust().
Good we have it now just on one place. Worked fine for me, thanks.
ACK. Pushed to master, ipa-3-3.
Martin
More information about the Freeipa-devel
mailing list