Upgrade: add gidnumber to trusted domain entry

The trusted domain entries created in earlier versions are missing gidnumber.
During upgrade, a new plugin will read the gidnumber of the fallback group
cn=Default SMB Group and add this value to trusted domain entries which do
not have a gidNumber.

https://pagure.io/freeipa/issue/6827

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

2 files changed, 57 insertions, 0 deletions

diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 34069e745..8477199e0 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -10,6 +10,7 @@ plugin: update_sigden_extdom_broken_config
 plugin: update_sids
 plugin: update_default_range
 plugin: update_default_trust_view
+plugin: update_tdo_gidnumber
 plugin: update_ca_renewal_master
 plugin: update_idrange_type
 plugin: update_pacs
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 42968089f..075f19778 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -22,6 +22,7 @@ from ipalib import Updater
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipaserver.install import sysupgrade
+from ipaserver.install.adtrustinstance import ADTRUSTInstance
 
 register = Registry()
 
@@ -316,3 +317,58 @@ class update_sids(Updater):
 
         sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
         return False, ()
+
+
+@register()
+class update_tdo_gidnumber(Updater):
+    """
+    Create a gidNumber attribute for Trusted Domain Objects.
+
+    The value is taken from the fallback group defined in cn=Default SMB Group.
+    """
+    def execute(self, **options):
+        ldap = self.api.Backend.ldap2
+
+        # Read the gidnumber of the fallback group
+        dn = DN(('cn', ADTRUSTInstance.FALLBACK_GROUP_NAME),
+                self.api.env.container_group,
+                self.api.env.basedn)
+
+        try:
+            entry = ldap.get_entry(dn, ['gidnumber'])
+            gidNumber = entry.get('gidnumber')
+        except errors.NotFound:
+            self.log.error("{0} not found".format(
+                ADTRUSTInstance.FALLBACK_GROUP_NAME))
+            return False, ()
+
+        if not gidNumber:
+            self.log.error("{0} does not have a gidnumber".format(
+                ADTRUSTInstance.FALLBACK_GROUP_NAME))
+            return False, ()
+
+        # For each trusted domain object, add gidNumber
+        try:
+            tdos = ldap.get_entries(
+                DN(self.api.env.container_adtrusts, self.api.env.basedn),
+                scope=ldap.SCOPE_ONELEVEL,
+                filter="(objectclass=ipaNTTrustedDomain)",
+                attrs_list=['gidnumber'])
+            for tdo in tdos:
+                # if the trusted domain object does not contain gidnumber,
+                # add the default fallback group gidnumber
+                if not tdo.get('gidnumber'):
+                    try:
+                        tdo['gidnumber'] = gidNumber
+                        ldap.update_entry(tdo)
+                        self.log.debug("Added gidnumber {0} to {1}".format(
+                            gidNumber, tdo.dn))
+                    except Exception:
+                        self.log.warning(
+                            "Failed to add gidnumber to {0}".format(tdo.dn))
+
+        except errors.NotFound:
+            self.log.debug("No trusted domain object to update")
+            return False, ()
+
+        return False, ()