From 703ab8c4dfb7f8fd1540c3849ad469d39695a26f Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Jan 25 2023 16:57:02 +0000 Subject: trust-add: handle missing msSFU30MaxGidNumber When ipa trust-add is executed with --range-type ad-trust-posix, the server tries to find the max uidnumber and max gidnumber from AD domain controller. The values are extracted from the entry CN=,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System, in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes. msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber. In case msSFU30MaxGidNumber is missing, the code is currently assigning a "None" value and later on evaluates the max between this value and msSFU30MaxUidNumber. The max function cannot compare None and a list of string and triggers an exception. To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber is missing. This way, the comparison succeeds and max returns the value from msSFU30MaxUidNumber. Fixes: https://pagure.io/freeipa/issue/9310 Signed-off-by: Florence Blanc-Renaud Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index c074f6d..79264b8 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -379,7 +379,10 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options): range_type = u'ipa-ad-trust-posix' max_uid = info.get('msSFU30MaxUidNumber') - max_gid = info.get('msSFU30MaxGidNumber', None) + # if max_gid is missing, assume 0 and the max will + # be obtained from max_uid. We just checked that + # msSFU30MaxUidNumber is defined + max_gid = info.get('msSFU30MaxGidNumber', [b'0']) max_id = int(max(max_uid, max_gid)[0]) base_id = int(info.get('msSFU30OrderNumber')[0])