Re: [Freeipa-devel] [PATCH 0131] [PATCH 131/132] trusts: Do not pass base-id to the subdomain ranges
On 11/21/2013 06:26 PM, Alexander Bokovoy wrote: > On Thu, 21 Nov 2013, Tomas Babej wrote: >> Hi, >> >> this fixes >> >> https://fedorahosted.org/freeipa/ticket/4041 >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> > >> From 97b0209a2e149ba6dd86ad9998f8e37e60014c3d Mon Sep 17 00:00:00 2001 >> From: Tomas Babej >> Date: Thu, 21 Nov 2013 14:44:42 +0100 >> Subject: [PATCH 131/132] trusts: Do not pass base-id to the subdomain ranges >> >> https://fedorahosted.org/freeipa/ticket/4041 >> --- >> ipalib/plugins/trust.py | 5 + >> 1 file changed, 5 insertions(+) >> >> diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py >> index >> 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b >> 100644 >> --- a/ipalib/plugins/trust.py >> +++ b/ipalib/plugins/trust.py >> @@ -375,6 +375,11 @@ sides. >> passed_options = options >> passed_options.update(range_type=created_range_type) >> >> +# Do not pass the base id to the subdomains since it >> would >> +# clash with the root level domain >> +if 'base_id' in passed_options: >> +del passed_options['base_id'] >> + >> # Try to add the range for each subdomain >> try: >> self.add_range(range_name, dom_sid, *keys, > > ACK. > > Small comment that would probably be good to add to the commit message: > > For trusted domains base id is calculated using a murmur3 hash of the > domain Security Identifier (SID). During trust-add we create ranges for > forest root domain and other forest domains. Since --base-id explicitly > overrides generated base id for forest root domain, its value should not > be passed to other forest domains' ranges -- their base ids must be > calculated based on their SIDs. > > In case base id change for non-root forest domains is required, it can > be done manually through idrange-mod command after the trust is > established. I added the text to commit message and fixed the From field to correct address (Tomas's MUA confuses often confuses it :) Thanks for quick fix and quick review! Pushed to master, ipa-3-3. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0131] [PATCH 131/132] trusts: Do not pass base-id to the subdomain ranges
On 11/21/2013 12:26 PM, Alexander Bokovoy wrote: > On Thu, 21 Nov 2013, Tomas Babej wrote: >> Hi, >> >> this fixes >> >> https://fedorahosted.org/freeipa/ticket/4041 >> >> -- >> Tomas Babej >> Associate Software Engeneer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> >> > >> From 97b0209a2e149ba6dd86ad9998f8e37e60014c3d Mon Sep 17 00:00:00 2001 >> From: Tomas Babej >> Date: Thu, 21 Nov 2013 14:44:42 +0100 >> Subject: [PATCH 131/132] trusts: Do not pass base-id to the subdomain >> ranges >> >> https://fedorahosted.org/freeipa/ticket/4041 >> --- >> ipalib/plugins/trust.py | 5 + >> 1 file changed, 5 insertions(+) >> >> diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py >> index >> 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b >> 100644 >> --- a/ipalib/plugins/trust.py >> +++ b/ipalib/plugins/trust.py >> @@ -375,6 +375,11 @@ sides. >> passed_options = options >> passed_options.update(range_type=created_range_type) >> >> +# Do not pass the base id to the subdomains >> since it would >> +# clash with the root level domain >> +if 'base_id' in passed_options: >> +del passed_options['base_id'] >> + >> # Try to add the range for each subdomain >> try: >> self.add_range(range_name, dom_sid, *keys, > > ACK. > > Small comment that would probably be good to add to the commit message: > > For trusted domains base id is calculated using a murmur3 hash of the > domain Security Identifier (SID). During trust-add we create ranges for > forest root domain and other forest domains. Since --base-id explicitly > overrides generated base id for forest root domain, its value should not > be passed to other forest domains' ranges -- their base ids must be > calculated based on their SIDs. > > In case base id change for non-root forest domains is required, it can > be done manually through idrange-mod command after the trust is > established. > FYI, the ticket is a blocker now. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0131] [PATCH 131/132] trusts: Do not pass base-id to the subdomain ranges
On Thu, 21 Nov 2013, Tomas Babej wrote: Hi, this fixes https://fedorahosted.org/freeipa/ticket/4041 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 97b0209a2e149ba6dd86ad9998f8e37e60014c3d Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 21 Nov 2013 14:44:42 +0100 Subject: [PATCH 131/132] trusts: Do not pass base-id to the subdomain ranges https://fedorahosted.org/freeipa/ticket/4041 --- ipalib/plugins/trust.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -375,6 +375,11 @@ sides. passed_options = options passed_options.update(range_type=created_range_type) +# Do not pass the base id to the subdomains since it would +# clash with the root level domain +if 'base_id' in passed_options: +del passed_options['base_id'] + # Try to add the range for each subdomain try: self.add_range(range_name, dom_sid, *keys, ACK. Small comment that would probably be good to add to the commit message: For trusted domains base id is calculated using a murmur3 hash of the domain Security Identifier (SID). During trust-add we create ranges for forest root domain and other forest domains. Since --base-id explicitly overrides generated base id for forest root domain, its value should not be passed to other forest domains' ranges -- their base ids must be calculated based on their SIDs. In case base id change for non-root forest domains is required, it can be done manually through idrange-mod command after the trust is established. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
