Bug 907918

Summary: secondary-rid-range overlap should be checked only for local domain ranges
Product: Red Hat Enterprise Linux 7 Reporter: Ann Marie Rubin <arubin>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jgalipea, mkosek, nsoman, sgoveas
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:20:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ann Marie Rubin 2013-02-05 14:22:31 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3391

Secondary rid range cannot be specified when adding ID range for trusted domain. However, secondary rid range overlap check is performed on them. This causes error when adding a second ID range for trusted domain.


{{{
[tbabej@vm-073 freeipa]$ ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: IPA.ADTEST.EXAMPLE.COM_id_range
  First Posix ID of the range: 1768600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

  Range name: ADTEST.EXAMPLE.COM_id_range
  First Posix ID of the range: 1310800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-4020879869-1603628879-716353140
  Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
[tbabej@vm-073 freeipa]$ ipa idrange-add test1 --dom-name=adtest.example.com --rid-base=500 --base-id=50 --range-size=5
----------------------
Added ID range "test1"
----------------------
  Range name: test1
  First Posix ID of the range: 50
  Number of IDs in the range: 5
  First RID of the corresponding RID range: 500
  Domain SID of the trusted domain: S-1-5-21-4020879869-1603628879-716353140
  Range type: Active Directory domain range
[tbabej@vm-073 freeipa]$ ipa idrange-add test2 --dom-name=adtest.example.com --rid-base=600 --base-id=60 --range-size=5 
ipa: ERROR: Constraint violation: New secondary rid range overlaps with existing secondary rid range.
[tbabej@vm-073 freeipa]$
}}}

Effectively, this means we can have only one ID range per trusted domain defined.
Comment 2 RHEL Program Management 2013-02-12 18:36:40 UTC 
Quality Engineering Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 4 Martin Kosek 2013-03-11 12:57:06 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/8d432353cc1e66b235e928650764f879c24d19f7
ipa-3-1: https://fedorahosted.org/freeipa/changeset/c282e74771bebceadb946fb539a6afbf4dc6cd77
Comment 8 Steeve Goveas 2014-01-06 11:47:57 UTC 
[root@dhcp207-43 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1741800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------

[root@dhcp207-43 ~]# ipa idrange-add test1 --dom-name=pune.adtest.qe --rid-base=500 --base-id=50 --range-size=5
----------------------
Added ID range "test1"
----------------------
  Range name: test1
  First Posix ID of the range: 50
  Number of IDs in the range: 5
  First RID of the corresponding RID range: 500
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

[root@dhcp207-43 ~]# ipa idrange-add test2 --dom-name=pune.adtest.qe --rid-base=600 --base-id=60 --range-size=5
----------------------
Added ID range "test2"
----------------------
  Range name: test2
  First Posix ID of the range: 60
  Number of IDs in the range: 5
  First RID of the corresponding RID range: 600
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

Verified in Version

[root@dhcp207-43 ~]# rpm -q ipa-server
ipa-server-3.3.3-8.el7.x86_64
Comment 9 Ludek Smid 2014-06-13 12:20:20 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.