Bug 1033216

Summary: Re-adding existing trust fails
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: jgalipea, nsoman, rcritten, spoore
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-6.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:10:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Http error logs with samba log level 100 none

Description Steeve Goveas 2013-11-21 17:47:38 UTC 
Created attachment 827403 [details]
Http error logs with samba log level 100

Description of problem:
Re-adding a trust that already exists fails with error
"ipa: ERROR: CIFS server communication error: code "-1073741811",
                  message "Unexpected information received" (both may be "None")"


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-3.3.3-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add trust with an AD server
2. Repeat trust-add with same AD server

Actual results:
[root@rhel7-b ~]# cat /usr/share/ipa/smb.conf.empty
[global]
log level = 100

[root@rhel7-b ~]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password
Active directory domain administrator's password:
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-b ~]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password
Active directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741811",
                  message "Unexpected information received" (both may be "None")

Expected results:
Trust is re-established without any errors

Additional info:
Pasting ab's investigation from email

Ok, according to the logs this is one of cases where we should wait a
bit to allow KDC to refresh list of trusted domains before we go to the
AD DC to fetch its forest topology information:

Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for @TESTRELM will expire in 86399 secs
Server cifs/ad12srv1.adtest.qe@ is not registered with our KDC:
Unspecified GSS failure.  Minor code may provide more information:
Server krbtgt/ADTEST.QE not found in Kerberos database
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
Failed initial gensec_update with mechanism spnego:
NT_STATUS_INVALID_PARAMETER

We already force KDC to refresh but some race could still be there, I
guess.
Comment 2 Jenny Severance 2013-11-21 18:48:36 UTC 
Although this is a regression, it should not block beta release
Comment 4 Dmitri Pal 2013-11-21 20:29:30 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4046
Comment 5 Martin Kosek 2013-11-29 12:15:41 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/32df84f04ba300020bbc232ed7119838ae31fea6
ipa-3-3: https://fedorahosted.org/freeipa/changeset/84236d514a3fc7c49935faa089783734f7149061
Comment 8 Steeve Goveas 2013-12-18 15:11:51 UTC 
[root@hp-dl380pgen8-02-vm-8 ~]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@hp-dl380pgen8-02-vm-8 ~]# ipa trust-add adtest.qe --admin administrator --password
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@hp-dl380pgen8-02-vm-8 ~]# ipa trust-add adtest.qe --admin administrator --password
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Verified in version
[root@hp-dl380pgen8-02-vm-8 ~]# rpm -q ipa-server
ipa-server-3.3.3-6.el7.x86_64
Comment 9 Ludek Smid 2014-06-13 11:10:32 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.