https://fedorahosted.org/freeipa/ticket/5737

Patch attached.
From 952a43a2ef272a61916125040852bc6f5b5de079 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 15 Mar 2016 16:18:57 +0100
Subject: [PATCH] Fix broken trust warnings

Warning should be shown only for parent entries of trust domain. Sub
domains do not contain SIDs at all.

https://fedorahosted.org/freeipa/ticket/5737
---
 ipalib/plugins/trust.py              | 25 +++++++++++++++++++------
 ipaserver/install/plugins/adtrust.py | 17 +++++++++++++++--
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ba0c98e2f3711924dace395b7becf2977ca8e35c..148f1cd03d937f24e039e15bc009f9e941ec4ea9 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -594,23 +594,36 @@ class trust(LDAPObject):
         AD trust domain without generated SID, warn user about it.
         """
         ldap = self.api.Backend.ldap2
-
+        sid_attr_name = 'ipaNTSecurityIdentifier'
         try:
             entries, truncated = ldap.find_entries(
                 base_dn=DN(self.container_dn, self.api.env.basedn),
-                attrs_list=['cn'],
-                filter='(&(ipaNTTrustPartner=*)'
-                       '(!(ipaNTSecurityIdentifier=*)))',
+                attrs_list=['cn', sid_attr_name],
+                filter='(ipaNTTrustPartner=*)',
             )
         except errors.NotFound:
             pass
         else:
+            # print warning only for parent domain, subdomains do not contain
+            # SIDs
+            parent_domains = {}
             for entry in entries:
-                 add_message(
+                domain = entry.single_value["cn"]
+                parent_domains = {
+                    d: e for d, e in parent_domains.items()
+                    if not d.endswith(domain)
+                }
+                if not any(domain.endswith(d) for d in parent_domains.keys()):
+                    parent_domains[domain] = entry
+
+            for domain, entry in parent_domains.items():
+                if entry.get(sid_attr_name):
+                    continue
+                add_message(
                     options['version'],
                     result,
                     BrokenTrust(domain=entry.single_value['cn'])
-                 )
+                )
 
 
 @register()
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index ce58d7f171bd448dc767f92bbc32346a14f5b2ea..3c68b13c7809cb48ff27bd1d557da23e77d6df9d 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -291,10 +291,10 @@ class update_sids(Updater):
             trust_domain_entries, truncated = ldap.find_entries(
                 base_dn=base_dn,
                 scope=ldap.SCOPE_ONELEVEL,
-                attrs_list=["cn"],
+                attrs_list=["cn", attr_name],
                 # more types of trusts can be stored under cn=trusts, we need
                 # the type with ipaNTTrustPartner attribute
-                filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
+                filter="(ipaNTTrustPartner=*)"
             )
         except errors.NotFound:
             pass
@@ -302,8 +302,21 @@ class update_sids(Updater):
             if truncated:
                 self.log.warning("update_sids: Search results were truncated")
 
+            # print warning only for parent domain, subdomains do not contain
+            # SIDs
+            parent_domains = {}
             for entry in trust_domain_entries:
                 domain = entry.single_value["cn"]
+                parent_domains = {
+                    d: e for d, e in parent_domains.items()
+                    if not d.endswith(domain)
+                }
+                if not any(domain.endswith(d) for d in parent_domains.keys()):
+                    parent_domains[domain] = entry
+
+            for domain, entry in parent_domains.items():
+                if entry.get(attr_name):
+                    continue
                 self.log.error(
                     "Your trust to %s is broken. Please re-create it by "
                     "running 'ipa trust-add' again.", domain)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to