Bug 1270294

Summary: ipa trust-add : Constraint violation: New base range overlaps with existing base range
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: abokovoy, ksiddiqu, pvoborni, rcritten, tbabej, theophanis_kontogiannis
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-12 16:16:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Dirsrv logs, httpd logs, install logs. none

Description Sudhir Menon 2015-10-09 14:17:12 UTC 
Created attachment 1081359 [details]
Dirsrv logs, httpd logs, install logs.

Description of problem: "Constraint violation: New base range overlaps with existing base range" when trust is being added.


Version-Release number of selected component (if applicable):
[root@ipa01 ~]# rpm -qa | grep ipa-server
ipa-server-dns-4.2.0-13.el7.x86_64
ipa-server-trust-ad-4.2.0-13.el7.x86_64
ipa-server-4.2.0-13.el7.x86_64
sssd-1.13.0-39.el7.x86_64

How reproducible: Always


Steps to Reproduce:
1. Install IPA server
2. Make sure that there is no trust already existing with the same domain.
3. Make sure that the AD trusts tab doesn't list the IPA realm as existing trust.
4. Now establish trust using the below command.
#ipa trust-add --range-type=ipa-ad-trust-posix 


Actual results:

1. [root@ipa01 ~]# ipa trust-add --range-type=ipa-ad-trust-posix
Realm name: TEST.IN
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

2. [root@ipa01 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: test.in
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-742749997-2996825573-4184801258
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

3. [root@ipa01 ~]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: LABS01.TEST_id_range
  First Posix ID of the range: 338600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

4. labs01.test is listed under the Trusts Tab in AD 

5. Removed labs01.test from the trusts tab in AD and then tried doing a trust-add without posix as well and that too gives the same error

[root@ipa01 ~]# ipa trust-del
Realm name: TEST.IN
-----------------------
Deleted trust "TEST.IN"
-----------------------

[root@ipa01 ~]# ipa trust-add
Realm name: TEST.IN
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

Expected results: The trust should get added successfully without any error.

Additional info: This issue is seen lately. Just to ensure i did install/uninstall IPA server on the test machine and also ensured that the IPA domain is removed from trust-tab and idrange for the trusted domain is deleted prior to adding it again as trusted domain.
Comment 4 Tomas Babej 2015-10-09 16:29:54 UTC 
This looks like a misconfiguration to me. There should not be a situation where you have a trust established but the corresponding range does not exist anymore.

Note that in step 5, deletion of the trust is not enough, you also have to delete the corresponding range.

Can you please repeat the steps below on a clean machine?

1. Run ipa-server-install
2. Run ipa-adtrust-install
3. Make sure there are no stale ipa range objects (only the local range expected)
4. Make sure there are no trusts
5. Run ipa trust-add
Comment 5 Sudhir Menon 2015-10-12 06:25:18 UTC 
Tomas,

I am able to reproduce the issue, seems that the range is not getting added for the trusted domain, but trust-find list the domain added.

Is it because of the WARNING message seen while running ipa-adtrust-install?

[root@ipa01 ~]# ipa-adtrust-install 
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.
Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password: 

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters and digits are allowed.
Example: EXAMPLE.

NetBIOS domain name [LABS01]: 

WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.  <=======

Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/23]: stopping smbd
  [2/23]: creating samba domain object
  [3/23]: creating samba config registry
  [4/23]: writing samba config file
  [5/23]: adding cifs Kerberos principal
  [6/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [7/23]: check for cifs services defined on other replicas
  [8/23]: adding cifs principal to S4U2Proxy targets
  [9/23]: adding admin(group) SIDs
  [10/23]: adding RID bases
  [11/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [12/23]: activating CLDAP plugin
  [13/23]: activating sidgen task
  [14/23]: configuring smbd to start on boot
  [15/23]: adding special DNS service records
  [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [18/23]: adding fallback group
  [19/23]: adding Default Trust View
  [20/23]: setting SELinux booleans
  [21/23]: enabling oddjobd
  [22/23]: starting CIFS services
  [23/23]: adding SIDs to existing users and groups
Done configuring CIFS.

=============================================================================
Setup complete


1. [root@ipa01 ~]# ipa trust-add --range-type=ipa-ad-trust-posix
Realm name: TEST.IN
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
ipa: ERROR: Constraint violation: New base range overlaps with existing base range.

2. Domain added is listed in trust-find command.
[root@ipa01 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: test.in
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-742749997-2996825573-4184801258
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

3.  The posix range for the trusted domain is not listed in idrange-find command.

[root@ipa01 ~]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: LABS01.TEST_id_range
  First Posix ID of the range: 400600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

4. Please note that labs01.test domain is listed in Trusts Tab in Windows AD.
Comment 6 Alexander Bokovoy 2015-10-12 10:02:29 UTC 
No, it is because you have local domain range misconfigured and Active Directory has the same range occupied for the POSIX attributes. Fix your local misconfiguration first, then try to establish trust.
Comment 7 Sudhir Menon 2015-10-12 11:44:28 UTC 
Enviornment issue with AD on my test environment which created the above problem.
I tried with different Active directory test domain and its working.


[root@ipa02 ~]# ipa trust-add
Realm name: ADLABS.COM
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
---------------------------------------------------
Added Active Directory trust for realm "adlabs.com"
---------------------------------------------------
  Realm name: adlabs.com
  Domain NetBIOS name: ADLABS
  Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17,
                          S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19,
                          S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17,
                          S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19,
                          S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@ipa02 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADLABS.COM_id_range
  First Posix ID of the range: 10000
  Number of IDs in the range: 200000
  Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048
  Range type: Active Directory trust range with POSIX attributes

  Range name: LABS02.TEST_id_range
  First Posix ID of the range: 1663400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------


[root@ipa02 ~]# ipa trust-add --range-type=ipa-ad-trust-posix --all
Realm name: ADTEST.QE
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  dn: cn=adtest.qe,cn=ad,cn=trusts,dc=labs02,dc=test
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17,
                          S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19,
                          S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17,
                          S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19,
                          S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
  ipantsecurityidentifier: S-1-5-21-1833836562-2148201194-3949243355-1010
  ipantsupportedencryptiontypes: 28
  ipanttrustattributes: 8
  ipanttrustdirection: 1
  ipanttrustpartner: adtest.qe
  ipanttrustposixoffset: 0
  ipanttrusttype: 2
  objectclass: top, ipaNTTrustedDomain, ipaIDobject
  uidnumber: 1663400010