Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1058780

Summary: Missing checks during ipa idrange-add
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: rcritten, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:10:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitri Pal 2014-01-28 14:12:20 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4137

With the following existing idrange
{{{
# ipa idrange-show AD18.IPA18.DEVEL_id_range
  Range name: AD18.IPA18.DEVEL_id_range
  First Posix ID of the range: 1670800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range
}}}

I can add the following two idranges
{{{
# ipa idrange-add test-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201
---------------------------
Added ID range "test-range"
---------------------------
  Range name: test-range
  First Posix ID of the range: 123456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range
}}}
and
{{{
# ipa idrange-add test-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201 --type=ipa-ad-trust-posix
----------------------------
Added ID range "test-range2"
----------------------------
  Range name: test-range2
  First Posix ID of the range: 223456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 1
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory trust range with POSIX attributes
}}}

Both should not be possible. In the first case the RID-ranges overlap, since the first RID in the existing idrange is 0 and the size is 200000 the first available RID range can start at 200000.

In the second case (besides the RID issue) an idrange with a different type was added.

Both collisions should be detected and the creation of the new idrange rejected preferable by the DS plugin which detects the other idrange collisions.

Comment 2 Martin Kosek 2014-04-08 12:25:36 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/218a2617427a63c7e3d79427923e7986411af786

Comment 5 Steeve Goveas 2015-01-08 12:05:20 UTC
Verifed in version
ipa-server-4.1.0-13.el7.x86_64
sssd-1.12.2-39.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: idrange_cli_bz1058780: Missing checks during ipa idrange-add bz1058780
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ipa trustdomain-find adtest.qe'
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
:: [   PASS   ] :: Command 'ipa trustdomain-find adtest.qe' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix' 
:: [   PASS   ] :: Domain can have only one type of range/trust. bz1058780 not found 
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-91314187-2404433721-1858927112 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-91314187-2404433721-1858927112 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix' 
:: [   PASS   ] :: Domain can have only one type of range/trust. bz1058780 not found 
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range.
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range' 
:: [   PASS   ] :: RID overlap is checked 
:: [ 17:23:18 ] :: Test for sssd bz1067361 skipped, as conflicting ranges cannot be added anymore

Comment 7 errata-xmlrpc 2015-03-05 10:10:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html