On Tue, Sep 25, 2012 at 05:40:57PM +0300, Alexander Bokovoy wrote: > Hi, > > Domain validator code in ipaserver/dcerpc.py verifies that a SID belongs > to one of our trusted domains. This verification was expecting that SID > is for some resource within trusted domain and ignored the case when it > is the SID of the trusted domain, i.e. when sid has form like > S-1-5-21-16904141-148189700-2149043814 rather than > S-1-5-21-16904141-148189700-2149043814-512 (Domain Admins). > > The latter is what idrange-add command uses. > > So comparing SID with SID was done by stripping last component (RID). > In case of idrange-add stripping last RID was making a SID that could > never compare to a trusted domain SID. > > Somehow the code worked for me in Fedora and started failing on RHEL6. > > -- > / Alexander Bokovoy
ACK bye, Sumit _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel