From bcf89f59d86f4031f3b2ea39dc1dff9484d81e67 Mon Sep 17 00:00:00 2001

From: Tomas Babej <tbabej@redhat.com>

Date: Thu, 21 Nov 2013 14:44:42 +0100

Subject: [PATCH 5/6] trusts: Do not pass base-id to the subdomain ranges

For trusted domains base id is calculated using a murmur3 hash of the

domain Security Identifier (SID). During trust-add we create ranges for

forest root domain and other forest domains. Since --base-id explicitly

overrides generated base id for forest root domain, its value should not

be passed to other forest domains' ranges -- their base ids must be

calculated based on their SIDs.

In case base id change for non-root forest domains is required, it can

be done manually through idrange-mod command after the trust is

established.

https://fedorahosted.org/freeipa/ticket/4041

---

 ipalib/plugins/trust.py | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py

index 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b 100644

--- a/ipalib/plugins/trust.py

+++ b/ipalib/plugins/trust.py

@@ -375,6 +375,11 @@ def execute(self, *keys, **options):

                     passed_options = options

                     passed_options.update(range_type=created_range_type)

+                    # Do not pass the base id to the subdomains since it would

+                    # clash with the root level domain

+                    if 'base_id' in passed_options:

+                        del passed_options['base_id']

+

                     # Try to add the range for each subdomain

                     try:

                         self.add_range(range_name, dom_sid, *keys,

-- 

1.8.3.1