On 11/21/2013 12:26 PM, Alexander Bokovoy wrote: > On Thu, 21 Nov 2013, Tomas Babej wrote: >> Hi, >> >> this fixes >> >> https://fedorahosted.org/freeipa/ticket/4041 >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> > >> From 97b0209a2e149ba6dd86ad9998f8e37e60014c3d Mon Sep 17 00:00:00 2001 >> From: Tomas Babej <tomasba...@gmail.com> >> Date: Thu, 21 Nov 2013 14:44:42 +0100 >> Subject: [PATCH 131/132] trusts: Do not pass base-id to the subdomain >> ranges >> >> https://fedorahosted.org/freeipa/ticket/4041 >> --- >> ipalib/plugins/trust.py | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py >> index >> 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b >> 100644 >> --- a/ipalib/plugins/trust.py >> +++ b/ipalib/plugins/trust.py >> @@ -375,6 +375,11 @@ sides. >> passed_options = options >> passed_options.update(range_type=created_range_type) >> >> + # Do not pass the base id to the subdomains >> since it would >> + # clash with the root level domain >> + if 'base_id' in passed_options: >> + del passed_options['base_id'] >> + >> # Try to add the range for each subdomain >> try: >> self.add_range(range_name, dom_sid, *keys, > > ACK. > > Small comment that would probably be good to add to the commit message: > > For trusted domains base id is calculated using a murmur3 hash of the > domain Security Identifier (SID). During trust-add we create ranges for > forest root domain and other forest domains. Since --base-id explicitly > overrides generated base id for forest root domain, its value should not > be passed to other forest domains' ranges -- their base ids must be > calculated based on their SIDs. > > In case base id change for non-root forest domains is required, it can > be done manually through idrange-mod command after the trust is > established. > FYI, the ticket is a blocker now.
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel