|
|
9b9c8d |
From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001
|
|
|
9b9c8d |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
9b9c8d |
Date: Tue, 30 Aug 2022 16:38:42 +0200
|
|
|
9b9c8d |
Subject: [PATCH] ipaserver: Add missing idstart check
|
|
|
9b9c8d |
|
|
|
9b9c8d |
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
|
|
|
9b9c8d |
This is "Require idstart to be larger than UID_MAX" for freeipa.
|
|
|
9b9c8d |
|
|
|
9b9c8d |
Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
|
|
|
9b9c8d |
---
|
|
|
9b9c8d |
roles/ipaserver/library/ipaserver_test.py | 13 ++++++++++++-
|
|
|
9b9c8d |
roles/ipaserver/module_utils/ansible_ipa_server.py | 7 ++++++-
|
|
|
9b9c8d |
2 files changed, 18 insertions(+), 2 deletions(-)
|
|
|
9b9c8d |
|
|
|
9b9c8d |
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
|
|
|
9b9c8d |
index 2158150..f830f37 100644
|
|
|
9b9c8d |
--- a/roles/ipaserver/library/ipaserver_test.py
|
|
|
9b9c8d |
+++ b/roles/ipaserver/library/ipaserver_test.py
|
|
|
9b9c8d |
@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import (
|
|
|
9b9c8d |
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
|
|
|
9b9c8d |
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
|
|
|
9b9c8d |
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
|
|
|
9b9c8d |
- encode_certificate, check_available_memory, getargspec, adtrustinstance
|
|
|
9b9c8d |
+ encode_certificate, check_available_memory, getargspec, adtrustinstance,
|
|
|
9b9c8d |
+ get_min_idstart
|
|
|
9b9c8d |
)
|
|
|
9b9c8d |
from ansible.module_utils import six
|
|
|
9b9c8d |
|
|
|
9b9c8d |
@@ -579,6 +580,16 @@ def main():
|
|
|
9b9c8d |
"'--ignore-topology-disconnect/--ignore-last-of-role' "
|
|
|
9b9c8d |
"options can be used only during uninstallation")
|
|
|
9b9c8d |
|
|
|
9b9c8d |
+ if get_min_idstart is not None:
|
|
|
9b9c8d |
+ min_idstart = get_min_idstart()
|
|
|
9b9c8d |
+ if self.idstart < min_idstart:
|
|
|
9b9c8d |
+ raise RuntimeError(
|
|
|
9b9c8d |
+ "idstart (%i) must be larger than UID_MAX/GID_MAX "
|
|
|
9b9c8d |
+ "(%i) setting in /etc/login.defs." % (
|
|
|
9b9c8d |
+ self.idstart, min_idstart
|
|
|
9b9c8d |
+ )
|
|
|
9b9c8d |
+ )
|
|
|
9b9c8d |
+
|
|
|
9b9c8d |
if self.idmax < self.idstart:
|
|
|
9b9c8d |
raise RuntimeError(
|
|
|
9b9c8d |
"idmax (%s) cannot be smaller than idstart (%s)" %
|
|
|
9b9c8d |
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
|
|
|
9b9c8d |
index aba6b68..5b1c4e5 100644
|
|
|
9b9c8d |
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
|
|
|
9b9c8d |
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
|
|
|
9b9c8d |
@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
|
|
|
9b9c8d |
"adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
|
|
|
9b9c8d |
"default_subject_base", "default_ca_subject_dn",
|
|
|
9b9c8d |
"check_ldap_conf", "encode_certificate", "decode_certificate",
|
|
|
9b9c8d |
- "check_available_memory", "getargspec"]
|
|
|
9b9c8d |
+ "check_available_memory", "getargspec", "get_min_idstart"]
|
|
|
9b9c8d |
|
|
|
9b9c8d |
import sys
|
|
|
9b9c8d |
|
|
|
9b9c8d |
@@ -200,6 +200,11 @@ else:
|
|
|
9b9c8d |
from ipalib.x509 import load_certificate
|
|
|
9b9c8d |
load_pem_x509_certificate = None
|
|
|
9b9c8d |
|
|
|
9b9c8d |
+ try:
|
|
|
9b9c8d |
+ from ipaserver.install.server.install import get_min_idstart
|
|
|
9b9c8d |
+ except ImportError:
|
|
|
9b9c8d |
+ get_min_idstart = None
|
|
|
9b9c8d |
+
|
|
|
9b9c8d |
else:
|
|
|
9b9c8d |
# IPA version < 4.5
|
|
|
9b9c8d |
|
|
|
9b9c8d |
--
|
|
|
9b9c8d |
2.37.3
|
|
|
9b9c8d |
|