idrange-del should check if a IDs in a trusted range are being used before rejecting deletion.
# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password Active directory domain administrator's password: -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-3052441428-1084853364-590233633 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified # ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: ADTEST.QE_id_range First Posix ID of the range: 1804800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-3052441428-1084853364-590233633 Range type: Active Directory domain range Range name: TESTRELM.COM_id_range First Posix ID of the range: 1381800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- Adding a new trusted range # ipa idrange-add --dom-sid S-1-5-21-3052441428-1084853364-590233633 --rid-base 200000 --base-id 1805000000 --range-size 10 ad_range First RID of the secondary RID range: ------------------------- Added ID range "ad_range" ------------------------- Range name: ad_range First Posix ID of the range: 1805000000 Number of IDs in the range: 10 First RID of the corresponding RID range: 200000 Domain SID of the trusted domain: S-1-5-21-3052441428-1084853364-590233633 Range type: Active Directory domain range Deleting new trusted range gives error [root@sun-v20z-01 ipa-idrange-cli]# ipa idrange-del ad_range ipa: ERROR: ad_range cannot be deleted because Active Trust adtest.qe requires it <<<<<<<<<<<<<
We had a discussion with Sumit and Alexander after which we came to the conclusion that bug described in the ticket should be expected behaviour.
Closing as invalid.
Metadata Update from @steeve: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2.x - 2013/07 (bug fixing)
Login to comment on this ticket.