Bug 1033068

Summary:	Trust add tries to add same value of --base-id for sub domain, causing an error
Product:	Red Hat Enterprise Linux 7	Reporter:	Steeve Goveas <sgoveas>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Namita Soman <nsoman>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	7.0	CC:	dpal, jgalipea, rcritten
Target Milestone:	beta	Keywords:	TestBlocker
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-3.3.3-5.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 09:48:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Steeve Goveas 2013-11-21 14:01:20 UTC

Description of problem:
Trust-add with --base-id tries to set the given base-id for the sub domain as well, causing an error.

Version-Release number of selected component (if applicable):
ipa-server-trust-ad-3.3.3-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add trust with AD forest having a sub domain and use --base-id option

[root@rhel7-b ipa-trust-cli]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@rhel7-b ipa-trust-cli]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 829600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-b ipa-trust-cli]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password --base-id 1511200000
Active directory domain administrator's password:
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

[root@rhel7-b ipa-trust-cli]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1511200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 829600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@rhel7-b ipa-trust-cli]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
---------------------------- 

Actual results:
[root@rhel7-b ipa-trust-cli]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password --base-id 1511200000
Active directory domain administrator's password:
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

Expected results:
No errors
Additional info:

Comment 1 Tomas Babej 2013-11-21 14:17:08 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4041

Comment 3 Steeve Goveas 2013-11-21 18:35:11 UTC

Since a idrange for sub domains does not exist, it will lead to sub domain users being unable to use ipa resources. Is that right?
Can a idrange be added manually for the sub domain to work around this issue?

Comment 4 Martin Kosek 2013-11-22 07:52:38 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/63d4f306867095654d1b46c8731a95140a5126ce
ipa-3-3: https://fedorahosted.org/freeipa/changeset/ca11a28cab0d3bcc4b92187f50b8de4178da4fce

Comment 6 Steeve Goveas 2013-11-22 12:59:59 UTC

[root@rhel7-b ~]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@rhel7-b ~]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1794000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-b ~]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password --base-id 1511200000
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


[root@rhel7-b ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1511200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1794000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------

Verified in version ipa-server-3.3.3-5.el7.x86_64

Comment 7 Ludek Smid 2014-06-13 09:48:22 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.