Bug 1070925

Summary:	trust-add for POSIX AD does not fetch trustdomains
Product:	Red Hat Enterprise Linux 7	Reporter:	Martin Kosek <mkosek>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Namita Soman <nsoman>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	7.0	CC:	rcritten, sgoveas
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-3.3.3-20.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 10:58:18 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Martin Kosek 2014-02-27 18:30:52 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4205

Trustdomains are missing unless `trust-fetch-domains` is called:

{{{
# echo Secret123456 | ipa trust-add tbad.example.com --admin "TBAD\Administrator" --password
------------------------------------------------------------------------
Added Active Directory trust for realm "tbad.example.com"
------------------------------------------------------------------------
  Realm name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

# ipa trustdomain-find tbad.example.com
  Domain name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

# ipa trust-fetch-domains tbad.example.com
--------------------------------------------
List of trust domains successfully refreshed
--------------------------------------------
  Realm name: child.tbad.example.com
  Domain NetBIOS name: CHILD
  Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
----------------------------
Number of entries returned 1
----------------------------

# ipa trustdomain-find tbad.example.com
  Domain name: child.tbad.example.com
  Domain NetBIOS name: CHILD
  Domain Security Identifier: S-1-5-21-972585150-1048339146-1910910075
  Domain enabled: True

  Domain name: tbad.example.com
  Domain NetBIOS name: TBAD
  Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
}}}

Comment 1 Martin Kosek 2014-02-28 08:24:52 UTC

Fixed upstream:

master:
41ca5afba79110a8dfb9dd713df2d909b5210294 trust: make sure we always discover topology of the forest trust

ipa-3-3:
906b60ee8a728f2d1c557e73d05d7557e388c97f trust: make sure we always discover topology of the forest trust

Comment 3 Steeve Goveas 2014-03-18 07:22:03 UTC

[root@dhcp207-218 ~]# ipa idrange-find
---------------
1 range matched
---------------
  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 906800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-218 ~]# ipa trustdomain-find
Realm name: adposix.qe
ipa: ERROR: no such entry

[root@dhcp207-218 ~]# echo Secret123 | ipa trust-add adposix.qe --admin administrator --password
---------------------------------------------------
Added Active Directory trust for realm "adposix.qe"
---------------------------------------------------
  Realm name: adposix.qe
  Domain NetBIOS name: ADPOSIX
  Domain Security Identifier: S-1-5-21-3655340000-3880942204-3419777279
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-218 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADPOSIX.QE_id_range
  First Posix ID of the range: 10000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-3655340000-3880942204-3419777279
  Range type: Active Directory trust range with POSIX attributes

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 906800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-218 ~]# ipa trustdomain-find
Realm name: adposix.qe
  Domain name: adposix.qe
  Domain NetBIOS name: ADPOSIX
  Domain Security Identifier: S-1-5-21-3655340000-3880942204-3419777279
  Domain enabled: True

  Domain name: lab.adposix.qe
  Domain NetBIOS name: LAB
  Domain Security Identifier: S-1-5-21-3961109305-3660795254-274566355
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Verified in version
[root@dhcp207-218 ~]# rpm -q ipa-server
ipa-server-3.3.3-25.el7.x86_64

Comment 4 Ludek Smid 2014-06-13 10:58:18 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.