We discussed the handling of idranges for subdomains. i.e. domains in a forest not being the forest root, and (iirc) came to the following results:

• we will use the same mapping type (algorithmic, POSIX IDs managed by AD) for the whole forest

• if algorithmic mapping is used, each domain will get an individual idrange based on its domain SID like it is done for the forest root.

• if the POSIX IDs are managed by AD we assume that the related attributes are replicated into the Global Catalog and that it is the responsibility of the AD administrators to avoid ID conflicts. With this assumptions the idrange defined in the idrange object of the forest root by the attributes ipaBaseID and ipaIDRangeSize can be used for the whole forest. To achieve this I would suggest to create the idrange objects for the subdomains with a new range-type e.g. ipa-ad-trust-posix-shared with the same ipaBaseID and ipaIDRangeSize as the forest root. To make this work the checks for conflicts in the idranges must be modified to ignore this new range-type. As an alternative the idrange for the subdomains does not define ipaBaseID and ipaIDRangeSize but a reference to the forest root, e.g. the domain SID of the forest root. This would require a schema enhancement of the idrange objects.

Oh great, now I can't work on this ticket. I'd better fix this.

Releasing so that Alexander or Sumit can work on this ticket this week.

We came to a different solution for the case where the POSIX IDs are managed by AD. By default there will be no individual idrange for each member domain in a forest. If SSSD cannot find an idrange for a specific domain it will look at the idrange of the forest root. If this is of type ipa-ad-trust-posix it will be used for the member domain, if not the member domain has no idrange and users and groups from this domain will be ignored. See also SSSD ticket https://fedorahosted.org/sssd/ticket/2101 .

Since no additional work is needed on the FreeIPA side I'll close this ticket as invalid.