From ca11a28cab0d3bcc4b92187f50b8de4178da4fce Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 21 Nov 2013 14:44:42 +0100
Subject: trusts: Do not pass base-id to the subdomain ranges

For trusted domains base id is calculated using a murmur3 hash of the
domain Security Identifier (SID). During trust-add we create ranges for
forest root domain and other forest domains. Since --base-id explicitly
overrides generated base id for forest root domain, its value should not
be passed to other forest domains' ranges -- their base ids must be
calculated based on their SIDs.

In case base id change for non-root forest domains is required, it can
be done manually through idrange-mod command after the trust is
established.

https://fedorahosted.org/freeipa/ticket/4041
---
 ipalib/plugins/trust.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 32a938343..5ba090503 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -375,6 +375,11 @@ sides.
                     passed_options = options
                     passed_options.update(range_type=created_range_type)
 
+                    # Do not pass the base id to the subdomains since it would
+                    # clash with the root level domain
+                    if 'base_id' in passed_options:
+                        del passed_options['base_id']
+
                     # Try to add the range for each subdomain
                     try:
                         self.add_range(range_name, dom_sid, *keys,
-- 
cgit