As bug https://bugzilla.redhat.com/show_bug.cgi?id=1504701 showed, restoring a backup of a server where AD trust feature was configured does not necessarily leads to a working configuration if AD trust feature-providing packages were not installed.

A sequence of events is following:

• A default server configuration is created that includes freeipa-server but does not include freeipa-server-trust-ad subpackage and dependencies
• A ipa-restore --full is then run
• after a restore freeipa-server-trust-ad package is installed, bringing in samba and related packages
• Samba package installation scripts see /etc/samba/smb.conf existing and since no previous samba package was installed, the configuration file is backed up and replaced by the one from the samba package
• Now all required packages exist but samba server configuration is wrong as it does not correspond to what was restored with ipa-restore

The same will happen for any additional feature where ipa-restore replaces a configuration file tracked by rpm.

In order to avoid this problem, ipa-restore should track that features have their corresponding packages installed before performing a restore if files from a feature exist in the backup. In case of some packages missing, full backup should be refused and an error message with suggestions should be printed.