Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1058780 - Missing checks during ipa idrange-add
Summary: Missing checks during ipa idrange-add
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-28 14:12 UTC by Dmitri Pal
Modified: 2015-03-05 10:10 UTC (History)
2 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:10:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Dmitri Pal 2014-01-28 14:12:20 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4137

With the following existing idrange
{{{
# ipa idrange-show AD18.IPA18.DEVEL_id_range
  Range name: AD18.IPA18.DEVEL_id_range
  First Posix ID of the range: 1670800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range
}}}

I can add the following two idranges
{{{
# ipa idrange-add test-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201
---------------------------
Added ID range "test-range"
---------------------------
  Range name: test-range
  First Posix ID of the range: 123456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory domain range
}}}
and
{{{
# ipa idrange-add test-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-3090815309-2627318493-3395719201 --type=ipa-ad-trust-posix
----------------------------
Added ID range "test-range2"
----------------------------
  Range name: test-range2
  First Posix ID of the range: 223456
  Number of IDs in the range: 10
  First RID of the corresponding RID range: 1
  Domain SID of the trusted domain: S-1-5-21-3090815309-2627318493-3395719201
  Range type: Active Directory trust range with POSIX attributes
}}}

Both should not be possible. In the first case the RID-ranges overlap, since the first RID in the existing idrange is 0 and the size is 200000 the first available RID range can start at 200000.

In the second case (besides the RID issue) an idrange with a different type was added.

Both collisions should be detected and the creation of the new idrange rejected preferable by the DS plugin which detects the other idrange collisions.

Comment 2 Martin Kosek 2014-04-08 12:25:36 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/218a2617427a63c7e3d79427923e7986411af786

Comment 5 Steeve Goveas 2015-01-08 12:05:20 UTC
Verifed in version
ipa-server-4.1.0-13.el7.x86_64
sssd-1.12.2-39.el7.x86_64
389-ds-base-1.3.3.1-11.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: idrange_cli_bz1058780: Missing checks during ipa idrange-add bz1058780
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ipa trustdomain-find adtest.qe'
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
:: [   PASS   ] :: Command 'ipa trustdomain-find adtest.qe' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix' 
:: [   PASS   ] :: Domain can have only one type of range/trust. bz1058780 not found 
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-91314187-2404433721-1858927112 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range2 --base-id=223456 --rid-base=1 --range-size=10 --dom-sid=S-1-5-21-91314187-2404433721-1858927112 --type=ipa-ad-trust-posix > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: invalid 'ID Range setup': Option rid-base must not be used when IPA range type is ipa-ad-trust-posix' 
:: [   PASS   ] :: Domain can have only one type of range/trust. bz1058780 not found 
:: [  BEGIN   ] :: Running 'ipa idrange-add trust-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1'
:: [   PASS   ] :: Command 'ipa idrange-add trust-range --base-id=123456 --rid-base=0 --range-size=10 --dom-sid=S-1-5-21-1910160501-511572375-3625658879 > /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out'
ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range.
:: [   PASS   ] :: Command 'cat /tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.Z6QPN83XNK/tmpout.idrange_cli_bz1058780.out' should contain 'ipa: ERROR: Constraint violation: New primary rid range overlaps with existing primary rid range' 
:: [   PASS   ] :: RID overlap is checked 
:: [ 17:23:18 ] :: Test for sssd bz1067361 skipped, as conflicting ranges cannot be added anymore

Comment 7 errata-xmlrpc 2015-03-05 10:10:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html


Note You need to log in before you can comment on or make changes to this bug.