From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 30 Aug 2022 16:38:42 +0200
Subject: [PATCH] ipaserver: Add missing idstart check

The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
This is "Require idstart to be larger than UID_MAX" for freeipa.

Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
---
 roles/ipaserver/library/ipaserver_test.py          | 13 ++++++++++++-
 roles/ipaserver/module_utils/ansible_ipa_server.py |  7 ++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 2158150..f830f37 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import (
     read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
     check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
     validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
-    encode_certificate, check_available_memory, getargspec, adtrustinstance
+    encode_certificate, check_available_memory, getargspec, adtrustinstance,
+    get_min_idstart
 )
 from ansible.module_utils import six
 
@@ -579,6 +580,16 @@ def main():
                     "'--ignore-topology-disconnect/--ignore-last-of-role' "
                     "options can be used only during uninstallation")
 
+            if get_min_idstart is not None:
+                min_idstart = get_min_idstart()
+                if self.idstart < min_idstart:
+                    raise RuntimeError(
+                        "idstart (%i) must be larger than UID_MAX/GID_MAX "
+                        "(%i) setting in /etc/login.defs." % (
+                            self.idstart, min_idstart
+                        )
+                    )
+
             if self.idmax < self.idstart:
                 raise RuntimeError(
                     "idmax (%s) cannot be smaller than idstart (%s)" %
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index aba6b68..5b1c4e5 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
            "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
            "default_subject_base", "default_ca_subject_dn",
            "check_ldap_conf", "encode_certificate", "decode_certificate",
-           "check_available_memory", "getargspec"]
+           "check_available_memory", "getargspec", "get_min_idstart"]
 
 import sys
 
@@ -200,6 +200,11 @@ else:
             from ipalib.x509 import load_certificate
             load_pem_x509_certificate = None
 
+        try:
+            from ipaserver.install.server.install import get_min_idstart
+        except ImportError:
+            get_min_idstart = None
+
     else:
         # IPA version < 4.5
 
-- 
2.37.3