Bug 1033068

Summary: Trust add tries to add same value of --base-id for sub domain, causing an error
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: dpal, jgalipea, rcritten
Target Milestone: betaKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:48:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve Goveas 2013-11-21 14:01:20 UTC 
Description of problem:
Trust-add with --base-id tries to set the given base-id for the sub domain as well, causing an error.

Version-Release number of selected component (if applicable):
ipa-server-trust-ad-3.3.3-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add trust with AD forest having a sub domain and use --base-id option

[root@rhel7-b ipa-trust-cli]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@rhel7-b ipa-trust-cli]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 829600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-b ipa-trust-cli]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password --base-id 1511200000
Active directory domain administrator's password:
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

[root@rhel7-b ipa-trust-cli]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1511200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 829600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@rhel7-b ipa-trust-cli]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
---------------------------- 

Actual results:
[root@rhel7-b ipa-trust-cli]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password --base-id 1511200000
Active directory domain administrator's password:
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

Expected results:
No errors
Additional info:
Comment 1 Tomas Babej 2013-11-21 14:17:08 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4041
Comment 3 Steeve Goveas 2013-11-21 18:35:11 UTC 
Since a idrange for sub domains does not exist, it will lead to sub domain users being unable to use ipa resources. Is that right?
Can a idrange be added manually for the sub domain to work around this issue?
Comment 4 Martin Kosek 2013-11-22 07:52:38 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/63d4f306867095654d1b46c8731a95140a5126ce
ipa-3-3: https://fedorahosted.org/freeipa/changeset/ca11a28cab0d3bcc4b92187f50b8de4178da4fce
Comment 6 Steeve Goveas 2013-11-22 12:59:59 UTC 
[root@rhel7-b ~]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@rhel7-b ~]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1794000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-b ~]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password --base-id 1511200000
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


[root@rhel7-b ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1511200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1794000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------

Verified in version ipa-server-3.3.3-5.el7.x86_64
Comment 7 Ludek Smid 2014-06-13 09:48:22 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.