Bug 1075704
| Summary: | Unable to add trust successfully with --trust-secret | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.0 | CC: | dpal, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.3.3-23.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:21:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4246 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6195870e828cfa726b1cf7d868e5849ac2943bc7 https://fedorahosted.org/freeipa/changeset/34d644ebdf9f887441ef82d71b4f101206d897a8 ipa-3-3: https://fedorahosted.org/freeipa/changeset/f8a0bf4ca8c33eb9176a3d15886408cbaafc23ac https://fedorahosted.org/freeipa/changeset/a9fab2fc26be33e7296578961e61f2faec4f9061 [root@dhcp207-218 ~]# ipa trust-add adtest.qe --trust-secret
Shared secret for the trust:
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
Realm name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Waiting for confirmation by remote side
[root@dhcp207-218 ~]# ipa trustdomain-find adtest.qe
Domain name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
[root@dhcp207-218 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: ADTEST.QE_id_range
First Posix ID of the range: 1148400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
Range type: Active Directory domain range
Range name: TESTRELM.TEST_id_range
First Posix ID of the range: 1857000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
* Run trust-fetch-domains to retrieve topology of AD forest
[root@dhcp207-218 ~]# ipa trust-fetch-domains adtest.qe
--------------------------------------------
List of trust domains successfully refreshed
--------------------------------------------
Realm name: pune.adtest.qe
Domain NetBIOS name: PUNE
Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
----------------------------
Number of entries returned 1
----------------------------
[root@dhcp207-218 ~]# ipa trustdomain-find adtest.qe
Domain name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
Domain enabled: True
Domain name: pune.adtest.qe
Domain NetBIOS name: PUNE
Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
[root@dhcp207-218 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
Range name: ADTEST.QE_id_range
First Posix ID of the range: 1148400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
Range type: Active Directory domain range
Range name: PUNE.ADTEST.QE_id_range
First Posix ID of the range: 839000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
Range type: Active Directory domain range
Range name: TESTRELM.TEST_id_range
First Posix ID of the range: 1857000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------
Verified in version
[root@dhcp207-218 ~]# rpm -q ipa-server
ipa-server-3.3.3-25.el7.x86_64
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: Adding trust from AD side with --trust-secret fails with error "ipa: ERROR: invalid 'ipanttrusteddomainsid': must be Unicode text" Version-Release number of selected component (if applicable): ipa-server-3.3.3-21.el7.x86_64 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: [root@dhcp207-218 ~]# ipa trust-add adtest.qe --trust-secret Shared secret for the trust: ipa: ERROR: invalid 'ipanttrusteddomainsid': must be Unicode text [root@dhcp207-218 ~]# ipa trust-show adtest.qe Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Trust direction: Two-way trust Trust type: Active Directory domain [root@dhcp207-218 ~]# ipa idrange-find --------------- 1 range matched --------------- Range name: TESTRELM.TEST_id_range First Posix ID of the range: 1752200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ---------------------------- Expected results: trust add is successful Additional info: