From 18540386230e295087296e58761ced2b781ae4e3 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Nov 21 2019 09:44:37 +0000

Subject: Do not run trust upgrade code if master lacks Samba bindings

If a replica has no Samba bindings but there are trust agreements

configured on some trust controller, skip trust upgrade code on this

replica.

Resolves: https://pagure.io/freeipa/issue/8001

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Thomas Woerner <twoerner@redhat.com>

---

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py

index b7bb53f..2a9b4f0 100644

--- a/ipaserver/install/plugins/adtrust.py

+++ b/ipaserver/install/plugins/adtrust.py

@@ -24,6 +24,8 @@ except ImportError:

     def ndr_unpack(x):

         raise NotImplementedError

+    drsblobs = None

+

 logger = logging.getLogger(__name__)

 register = Registry()

@@ -633,6 +635,10 @@ class update_tdo_to_new_layout(Updater):

             logger.debug('AD Trusts are not enabled on this server')

             return False, []

+        # If we have no Samba bindings, this master is not a trust controller

+        if drsblobs is None:

+            return False, []

+

         ldap = self.api.Backend.ldap2

         gidNumber = get_gidNumber(ldap, self.api.env)

         if gidNumber is None: