[Freeipa-devel] [PATCH] 0144: trust: make sure we always discover topology of the forest trust

Martin Kosek mkosek at redhat.com
Thu Feb 27 13:13:17 UTC 2014 

On 02/27/2014 01:43 PM, Alexander Bokovoy wrote:
> On Thu, 27 Feb 2014, Martin Kosek wrote:
>> On 02/27/2014 12:48 PM, Alexander Bokovoy wrote:
>>> Thanks to Martin for noticing we had been fetching information about
>>> subdomains only in case there is algorithmic ID mapping in use. Instead,
>>> we should always fetch the subdomains but create new ranges only for
>>> algorithmic case.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4205
>>>
>>
>> This works fine for the trustdomain part. However, we still create too many ID
>> ranges:
>>
>>
>> # ipa idrange-find
>> ----------------
>> 3 ranges matched
>> ----------------
>>  Range name: CHILD.TBAD.EXAMPLE.COM_id_range
>>  First Posix ID of the range: 161000000
>>  Number of IDs in the range: 200000
>>  First RID of the corresponding RID range: 0
>>  Domain SID of the trusted domain: S-1-5-21-972585150-1048339146-1910910075
>>  Range type: Active Directory domain range
>>
>>  Range name: IDM.LAB.BOS.REDHAT.COM_id_range
>>  First Posix ID of the range: 1258600000
>>  Number of IDs in the range: 200000
>>  First RID of the corresponding RID range: 1000
>>  First RID of the secondary RID range: 100000000
>>  Range type: local domain range
>>
>>  Range name: TBAD.EXAMPLE.COM_id_range
>>  First Posix ID of the range: 10000
>>  Number of IDs in the range: 200000
>>  First RID of the corresponding RID range: 0
>>  Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726
>>  Range type: Active Directory trust range with POSIX attributes
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>> CHILD.TBAD.EXAMPLE.COM_id_range should not be here given this is a POSIX trust.
> 
> Yes. We tracked this down to a wrong code in fetch_domains_from_trust()
> where instead of a final value we took a list that contained the value
> and compared it for inequality with a unicode value. Of course, the
> comparison always evaluated to true (list is not a unicode object).
> 
> New patch is attached. It removes duplicated code from the trust-add as
> the same action (adding idranges for subdomains) is done in
> fetch_domains_from_trust().

Good we have it now just on one place. Worked fine for me, thanks.

ACK. Pushed to master, ipa-3-3.

Martin

More information about the Freeipa-devel mailing list