Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1058780 - Missing checks during ipa idrange-add
Missing checks during ipa idrange-add
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-28 09:12 EST by Dmitri Pal
Modified: 2015-03-05 05:10 EST (History)
2 users (show)

See Also:
Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:10:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 09:50:39 EST

  None (edit)
Description Dmitri Pal 2014-01-28 09:12:20 EST 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4137

With the following existing idrange
{{{
# ipa idrange-show AD18.IPA18.DEVEL_id_range
  Range name: AD18.IPA18.DEVEL_id_range
  First Posix ID of the range: 1670800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range
}}}

I can add the following two idranges
{{{
# ipa idrange-add test-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201
---------------------------
Added ID range "test-range"
---------------------------
  Range name: test-range
  First Posix ID of the range: 123456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range
}}}
and
{{{
# ipa idrange-add test-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201 --type=ipa-ad-trust-posix
----------------------------
Added ID range "test-range2"
----------------------------
  Range name: test-range2
  First Posix ID of the range: 223456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 1
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory trust range with POSIX attributes
}}}

Both should not be possible. In the first case the RID-ranges overlap, since the first RID in the existing idrange is 0 and the size is 200000 the first available RID range can start at 200000.

In the second case (besides the RID issue) an idrange with a different type was added.

Both collisions should be detected and the creation of the new idrange rejected preferable by the DS plugin which detects the other idrange collisions.
Comment 2 Martin Kosek 2014-04-08 08:25:36 EDT 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/218a2617427a63c7e3d79427923e7986411af786
Comment 5 Steeve Goveas 2015-01-08 07:05:20 EST 
Verifed in version
ipa-server-4.1.0-13.el7.x86_64
sssd-1.12.2-39.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: idrange_cli_bz1058780: Missing checks during ipa idrange-add bz1058780
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ipa trustdomain-find adtest.qe'
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
:: [   PASS   ] :: Command 'ipa trustdomain-find adtest.qe' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix' 
:: [   PASS   ] :: Domain can have only one type of range/trust. bz1058780 not found 
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-91314187-2404433721-1858927112 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-91314187-2404433721-1858927112 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix' 
:: [   PASS   ] :: Domain can have only one type of range/trust. bz1058780 not found 
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range.
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range' 
:: [   PASS   ] :: RID overlap is checked 
:: [ 17:23:18 ] :: Test for sssd bz1067361 skipped, as conflicting ranges cannot be added anymore
Comment 7 errata-xmlrpc 2015-03-05 05:10:18 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.