From 18540386230e295087296e58761ced2b781ae4e3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Nov 21 2019 09:44:37 +0000
Subject: Do not run trust upgrade code if master lacks Samba bindings


If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>

---

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index b7bb53f..2a9b4f0 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -24,6 +24,8 @@ except ImportError:
     def ndr_unpack(x):
         raise NotImplementedError
 
+    drsblobs = None
+
 logger = logging.getLogger(__name__)
 
 register = Registry()
@@ -633,6 +635,10 @@ class update_tdo_to_new_layout(Updater):
             logger.debug('AD Trusts are not enabled on this server')
             return False, []
 
+        # If we have no Samba bindings, this master is not a trust controller
+        if drsblobs is None:
+            return False, []
+
         ldap = self.api.Backend.ldap2
         gidNumber = get_gidNumber(ldap, self.api.env)
         if gidNumber is None: