From 58a99dd5ac5755cb02feb0feecb18d294eaa805c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 2 Oct 2012 22:11:17 +0200
Subject: Add SIDs for existing users and groups at the end of
 ipa-adtrust-install

Fixes https://fedorahosted.org/freeipa/ticket/3104
---
 install/tools/ipa-adtrust-install       |  5 ++++-
 install/tools/man/ipa-adtrust-install.1 | 10 ++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

(limited to 'install/tools')

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 4285642e6..52179038e 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -61,6 +61,9 @@ def parse_options():
     parser.add_option("-A", "--admin-name",
                       sensitive=True, dest="admin_name", default='admin',
                       help="admin user principal")
+    parser.add_option("--add-sids", dest="add_sids", action="store_true",
+                      default=False, help="Add SIDs for existing users and" \
+                                          "groups as the final step")
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -250,7 +253,7 @@ def main():
     smb.autobind = service.ENABLED
     smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
               netbios_name, options.rid_base, options.secondary_rid_base,
-              options.no_msdcs)
+              options.no_msdcs, options.add_sids)
     smb.find_local_id_range()
     smb.create_instance()
 
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index fa63bca3c..9204b7d5f 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -71,6 +71,16 @@ are needed for the IPA domain which should point to all IPA servers:
 .IP
 \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
 .TP
+\fB\-\-add\-sids\fR
+Add SIDs to existing users and groups as a final step of the
+ipa\-adtrust\-install run. If there a many existing users and groups and a
+couple of replicas in the environment this operation might lead to a high
+replication traffic and a performance degradation of all IPA servers in the
+environment. To avoid this the SID generation can be run after
+ipa\-adtrust\-install is run and scheduled independently. To start this task
+you have to load an edited version of ipa-sidgen-task-run.ldif with the
+ldapmodify command info the directory server.
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
-- 
cgit