From 5701d4f75c780d778fccefdb1ec911d4f1fccd8e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 17 Nov 2019 19:37:03 +0200
Subject: [PATCH] Do not run trust upgrade code if master lacks Samba bindings

If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
 ipaserver/install/plugins/adtrust.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 950b7b9c82f1b0e115675ff8093d1bd02e913ae2..c0de12eca903a6635f4b53b0806a0ba07170b7c6 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -23,6 +23,8 @@ except ImportError:
     def ndr_unpack(x):
         raise NotImplementedError
 
+    drsblobs = None
+
 logger = logging.getLogger(__name__)
 
 register = Registry()
@@ -633,6 +635,10 @@ class update_tdo_to_new_layout(Updater):
             logger.debug('AD Trusts are not enabled on this server')
             return False, []
 
+        # If we have no Samba bindings, this master is not a trust controller
+        if drsblobs is None:
+            return False, []
+
         ldap = self.api.Backend.ldap2
         gidNumber = get_gidNumber(ldap, self.api.env)
         if gidNumber is None:
-- 
2.23.0