Let us discuss a which behaviour we should take with trust-add command.

Currently, if you run:

$ ipa trust-add --type ad <host>
Range type (POSIX or non-POSIX) is being detected automatically.

However, if you run:

$ ipa trust-add --type ad <host> --range-type=ipa-ad-trust-posix
You override the detection of the SFU support on the AD. This is not a
when you have a AD with POSIX support, and you try to enforce a
non-posix range type.

However, if you *think* you have SFU up and running, but you don't (or
we just can't
access the information for whatever reason), you end up enforcing POSIX
range type
while not defining any of the expected attributes.

Currently, not defining base_id simply means you will have one generated
from SID.
So you end up with a posix range like this one:

 Range name: ADPOSIX.QE_id_range
 First Posix ID of the range: *280400000*
 Number of IDs in the range: 200000
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: S-1-5-21-3655340000-3880942204-3419777279
 Range type: Active Directory trust range *with POSIX attributes*

The question is, what position should we take?

1.) Are we going to stick with the defaults estabilished by AD?
(base_id: 10000)
2.) Or are we going to bail out in this case and report an error?


Freeipa-devel mailing list

Reply via email to