Secondary rid range cannot be specified when adding ID range for trusted domain. However, secondary rid range overlap check is performed on them. This causes error when adding a second ID range for trusted domain.
[tbabej@vm-073 freeipa]$ ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: IPA.ADTEST.EXAMPLE.COM_id_range First Posix ID of the range: 1768600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: ADTEST.EXAMPLE.COM_id_range First Posix ID of the range: 1310800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-4020879869-1603628879-716353140 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- [tbabej@vm-073 freeipa]$ ipa idrange-add test1 --dom-name=adtest.example.com --rid-base=500 --base-id=50 --range-size=5 ---------------------- Added ID range "test1" ---------------------- Range name: test1 First Posix ID of the range: 50 Number of IDs in the range: 5 First RID of the corresponding RID range: 500 Domain SID of the trusted domain: S-1-5-21-4020879869-1603628879-716353140 Range type: Active Directory domain range [tbabej@vm-073 freeipa]$ ipa idrange-add test2 --dom-name=adtest.example.com --rid-base=600 --base-id=60 --range-size=5 ipa: ERROR: Constraint violation: New secondary rid range overlaps with existing secondary rid range. [tbabej@vm-073 freeipa]$
Effectively, this means we can have only one ID range per trusted domain defined.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=907918
master: 8d43235[[BR]] ipa-3-1: c282e74
Metadata Update from @tbabej: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.