SID valiadation in idrange commands is too slack, as it allows to specify SID of object within the trusted domain as SID of the trusted domain itself.
Alexander's comment:
Last RID of the SID represents an object within the domain and we generally need to be careful allowing it in the place where domain SID is specified:
# ipa idrange-mod AD.LAN_id_range --dom-sid S-1-5-21-3502988750-125904550-3683905862-1 ----------------------------------- Modified ID range "AD.LAN_id_range" ----------------------------------- Range name: AD.LAN_id_range First Posix ID of the range: 1442800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3502988750-125904550-3683905862-1 Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no way to match the domain SID against the range.
master: 04a17f0[[BR]] ipa-3-1: 849aa52
Metadata Update from @tbabej: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.