Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors #7253

Closed
wants to merge 1 commit into from
Closed

idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors #7253

wants to merge 1 commit into from

Conversation

t-woerner
Copy link
Member

SID anchors are only resolvable on servers with DCERPC bindings installed. On non agent replica these bindings are not installed and therefore group and role management if there are AD user idoverride members.

Fixes: https://pagure.io/freeipa/issue/9544

abbra
abbra reviewed Feb 26, 2024
View reviewed changes
ipaserver/plugins/idviews.py Outdated Show resolved Hide resolved
@t-woerner t-woerner force-pushed the use_ipaAnchorUUID_on_replica_without_DCERPC_bindings_for_sid_anchors branch 3 times, most recently from dacadf0 to d91f579 Compare February 26, 2024 15:26
abbra
abbra reviewed Feb 26, 2024
View reviewed changes
ipaserver/plugins/idviews.py Outdated Show resolved Hide resolved
@t-woerner t-woerner force-pushed the use_ipaAnchorUUID_on_replica_without_DCERPC_bindings_for_sid_anchors branch from d91f579 to b294051 Compare February 26, 2024 15:57
@abbra
Copy link
Contributor

abbra commented Feb 26, 2024

The code LGTM. @t-woerner does it help with your reproducer? I wonder if we should turn that one into a test or rely on ansible-freeipa testing this scenario...

@t-woerner
Copy link
Member Author

Yes, this fixes the issue for me.
I think it might be good to have a test in FreeIPA for this.

@f-trivino f-trivino added the needs review Pull Request is waiting for a review label May 21, 2024
@t-woerner
idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors
71e5d28 
SID anchors are only resolvable on servers with DCERPC bindings
installed. On non agent replica these bindings are not installed and
therefore group and role management if there are AD user idoverride
members.

If there is an ipaUserOverride for the anchor, the ipaoriginaluid is
returned.

Fixes: https://pagure.io/freeipa/issue/9544

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
@t-woerner t-woerner force-pushed the use_ipaAnchorUUID_on_replica_without_DCERPC_bindings_for_sid_anchors branch from b294051 to 71e5d28 Compare May 21, 2024 13:40
@abbra abbra added ack Pull Request approved, can be merged ipa-4-11 Mark for backport to ipa 4.11 ipa-4-9 Mark for backport to ipa 4.9 ipa-4-10 Mark for backport to ipa 4.10 and removed needs review Pull Request is waiting for a review labels May 22, 2024
@abbra
Copy link
Contributor

abbra commented May 22, 2024

We can add a test later.

@antoniotorresm antoniotorresm added the pushed Pull Request has already been pushed label May 22, 2024
@antoniotorresm
Copy link
Contributor

master:

  • 9dc57ef idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors

This was referenced May 22, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abbra abbra abbra left review comments

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-9 Mark for backport to ipa 4.9 ipa-4-10 Mark for backport to ipa 4.10 ipa-4-11 Mark for backport to ipa 4.11 pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
4 participants
@t-woerner @abbra @antoniotorresm @f-trivino