[Freeipa-devel] [Trusts] Admin enforcing POSIX range when it's not being detected
Tomas Babej
tbabej at redhat.com
Mon Jan 20 15:20:10 UTC 2014
Hey!
Let us discuss a which behaviour we should take with trust-add command.
Currently, if you run:
$ ipa trust-add --type ad <host>
Range type (POSIX or non-POSIX) is being detected automatically.
However, if you run:
$ ipa trust-add --type ad <host> --range-type=ipa-ad-trust-posix
You override the detection of the SFU support on the AD. This is not a
problem
when you have a AD with POSIX support, and you try to enforce a
non-posix range type.
However, if you *think* you have SFU up and running, but you don't (or
we just can't
access the information for whatever reason), you end up enforcing POSIX
range type
while not defining any of the expected attributes.
Currently, not defining base_id simply means you will have one generated
from SID.
So you end up with a posix range like this one:
Range name: ADPOSIX.QE_id_range
First Posix ID of the range: *280400000*
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-3655340000-3880942204-3419777279
Range type: Active Directory trust range *with POSIX attributes*
The question is, what position should we take?
1.) Are we going to stick with the defaults estabilished by AD?
(base_id: 10000)
2.) Or are we going to bail out in this case and report an error?
Tomas
More information about the Freeipa-devel
mailing list