Blame SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch

9b9c8d
From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001
9b9c8d
From: Thomas Woerner <twoerner@redhat.com>
9b9c8d
Date: Tue, 30 Aug 2022 16:38:42 +0200
9b9c8d
Subject: [PATCH] ipaserver: Add missing idstart check
9b9c8d
9b9c8d
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
9b9c8d
This is "Require idstart to be larger than UID_MAX" for freeipa.
9b9c8d
9b9c8d
Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
9b9c8d
---
9b9c8d
 roles/ipaserver/library/ipaserver_test.py          | 13 ++++++++++++-
9b9c8d
 roles/ipaserver/module_utils/ansible_ipa_server.py |  7 ++++++-
9b9c8d
 2 files changed, 18 insertions(+), 2 deletions(-)
9b9c8d
9b9c8d
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
9b9c8d
index 2158150..f830f37 100644
9b9c8d
--- a/roles/ipaserver/library/ipaserver_test.py
9b9c8d
+++ b/roles/ipaserver/library/ipaserver_test.py
9b9c8d
@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import (
9b9c8d
     read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
9b9c8d
     check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
9b9c8d
     validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
9b9c8d
-    encode_certificate, check_available_memory, getargspec, adtrustinstance
9b9c8d
+    encode_certificate, check_available_memory, getargspec, adtrustinstance,
9b9c8d
+    get_min_idstart
9b9c8d
 )
9b9c8d
 from ansible.module_utils import six
9b9c8d
 
9b9c8d
@@ -579,6 +580,16 @@ def main():
9b9c8d
                     "'--ignore-topology-disconnect/--ignore-last-of-role' "
9b9c8d
                     "options can be used only during uninstallation")
9b9c8d
 
9b9c8d
+            if get_min_idstart is not None:
9b9c8d
+                min_idstart = get_min_idstart()
9b9c8d
+                if self.idstart < min_idstart:
9b9c8d
+                    raise RuntimeError(
9b9c8d
+                        "idstart (%i) must be larger than UID_MAX/GID_MAX "
9b9c8d
+                        "(%i) setting in /etc/login.defs." % (
9b9c8d
+                            self.idstart, min_idstart
9b9c8d
+                        )
9b9c8d
+                    )
9b9c8d
+
9b9c8d
             if self.idmax < self.idstart:
9b9c8d
                 raise RuntimeError(
9b9c8d
                     "idmax (%s) cannot be smaller than idstart (%s)" %
9b9c8d
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
9b9c8d
index aba6b68..5b1c4e5 100644
9b9c8d
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
9b9c8d
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
9b9c8d
@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
9b9c8d
            "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
9b9c8d
            "default_subject_base", "default_ca_subject_dn",
9b9c8d
            "check_ldap_conf", "encode_certificate", "decode_certificate",
9b9c8d
-           "check_available_memory", "getargspec"]
9b9c8d
+           "check_available_memory", "getargspec", "get_min_idstart"]
9b9c8d
 
9b9c8d
 import sys
9b9c8d
 
9b9c8d
@@ -200,6 +200,11 @@ else:
9b9c8d
             from ipalib.x509 import load_certificate
9b9c8d
             load_pem_x509_certificate = None
9b9c8d
 
9b9c8d
+        try:
9b9c8d
+            from ipaserver.install.server.install import get_min_idstart
9b9c8d
+        except ImportError:
9b9c8d
+            get_min_idstart = None
9b9c8d
+
9b9c8d
     else:
9b9c8d
         # IPA version < 4.5
9b9c8d
 
9b9c8d
-- 
9b9c8d
2.37.3
9b9c8d