Bug 1168376
Summary: | Clean up debug log for trust-add | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | pvoborni, rcritten, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.1.0-14.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:15:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steeve Goveas
2014-11-26 18:02:21 UTC
I don't think this is a bug. -vv/-vvv options are used for CLI debugging and displaying this information in a console output is IMHO desired. The same happens in other commands, e.g., user-add --password. I didn't see the password saved in an actual log. Did I miss something? In this bug we need to remove the ipanttrustauthincoming/ipanttrustauthoutgoing attributes before sending them to the client and fix the encoding error. An upstream ticket has been opened for the encoding issue, since it affects more commands https://fedorahosted.org/freeipa/ticket/4773 Upstream ticket: https://fedorahosted.org/freeipa/ticket/4787 Upstream ticket: https://fedorahosted.org/freeipa/ticket/4773 Fixed upstream: removal of ipanttrustauthincoming/ipanttrustauthoutgoing attrs form ouput: master: https://fedorahosted.org/freeipa/changeset/b0f412177fd36e81e71bea63b8923825c7ab28dd ipa-4-1: https://fedorahosted.org/freeipa/changeset/333b899770762936372116ba472e42cabaaaecda Encoding error fix: master: * a18ef90284f627bdde1e264e5e3db3a52031feec rpcclient: use json_encode_binary for verbose output ipa-4-1: * 872ba41c3b8ccc7beaaaf19e8a30f0caa8a1fa36 rpcclient: use json_encode_binary for verbose output better links for the encoding fix: master: https://fedorahosted.org/freeipa/changeset/a18ef90284f627bdde1e264e5e3db3a52031feec ipa-4-1: https://fedorahosted.org/freeipa/changeset/872ba41c3b8ccc7beaaaf19e8a30f0caa8a1fa36 Verified in version [root@vm-idm-019 ~]# rpm -q ipa-server ipa-server-4.1.0-16.el7.x86_64 [root@vm-idm-019 ~]# echo Secret123 | ipa -vvv trust-add adtest.qe --admin Administrator --password ipa: INFO: trying https://vm-idm-019.ipaviews.test/ipa/session/json ipa: INFO: Forwarding 'trust_add' to json server 'https://vm-idm-019.ipaviews.test/ipa/session/json' ipa: INFO: Request: { "id": 0, "method": "trust_add", "params": [ [ "adtest.qe" ], { "all": false, "raw": false, "realm_admin": "Administrator", "realm_passwd": "Secret123", "trust_type": "ad", "version": "2.112" } ] } send: u'POST /ipa/session/json HTTP/1.1\r\nHost: vm-idm-019.ipaviews.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://vm-idm-019.ipaviews.test/ipa/xml\r\nCookie: ipa_session=1e52dbba0c13c73806858a7e01ac2174;\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 190\r\n\r\n{"params": [["adtest.qe"], {"all": false, "realm_passwd": "Secret123", "raw": false, "realm_admin": "Administrator", "version": "2.112", "trust_type": "ad"}], "method": "trust_add", "id": 0}' reply: 'HTTP/1.1 401 Unauthorized\r\n' header: Date: Tue, 27 Jan 2015 12:29:39 GMT header: Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.16.2.3 Basic ECC mod_wsgi/3.4 Python/2.7.5 header: Content-Length: 0 header: Content-Type: text/plain; charset=UTF-8 ipa: INFO: trying https://vm-idm-019.ipaviews.test/ipa/json ipa: INFO: Forwarding 'trust_add' to json server 'https://vm-idm-019.ipaviews.test/ipa/json' ipa: INFO: Request: { "id": 0, "method": "trust_add", "params": [ [ "adtest.qe" ], { "all": false, "raw": false, "realm_admin": "Administrator", "realm_passwd": "Secret123", "trust_type": "ad", "version": "2.112" } ] } send: u'POST /ipa/json HTTP/1.1\r\nHost: vm-idm-019.ipaviews.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://vm-idm-019.ipaviews.test/ipa/xml\r\nAuthorization: negotiate YIIEkAYJKoZIhvcSAQICAQBuggR/MIIEe6ADAgEFoQMCAQ6iBwMFACAAAACjggORYYIDjTCCA4mgAwIBBaEPGw1JUEFWSUVXUy5URVNUoiswKaADAgEDoSIwIBsESFRUUBsYdm0taWRtLTAxOS5pcGF2aWV3cy50ZXN0o4IDQjCCAz6gAwIBEqEDAgECooIDMASCAywBHtLxShbPTDoTM872IDxYHOy6GLa1zxtyfnqANy1GOjnbCq9h2HXEJBsMAlfvhk85L1SDCo1S9BAtJI51XDyep64rb561wiUMi3Gg3HSLRXfVvrqSu5s2DflRw+JIbG0Jmt35KJWygYLRPyCnpJeTjxTLkFD39GrahkwYxNAlmXph2jcQc1UdJeWr4ePXfBFB9U+BA01QK91ogwjtuWJOFTghU4fSjl2Es1Z5tWtuvh2aS+mFR9DauK1ZZjle4iUZ4rrdNzlbN9ux1UC7Kda+CgTJRPzcPfI0vZgmpGfU7I/s5RPySKWWi4px/6z6I40ISgw3bWEYH9nuy8l1Wx4p5oCaZQ3FIqByYzREkHAIMVoW/XjS+X9ax8w3HC4U4k9E/YHQsJW3JLn089YfdaJw6OO7A5eGKSFmth9oCe9MSDQm0ntywRGee+cO7AwQyWRTWj7vkX/CVM9cAbXytjMpjmuuaGPrKJZEnKi3Q6i+nb2vTQi989vnmRhbKOwT+RrkbNln+/KIgWmOYsxvYW5rfQ/LLvm7MYfiRyJHY8sFT4skT4TsUCQsI/SQwU7rUV7WYPDZSBZfHIUeuE3wcUgzoJq/6won2C6BfNlVzIEB1uRltfxB+SeGPlWB6nb4nhel1xj0exvTmgPBVEVznHb5Ggd1zN35Z222jGr4S7ZYuc9H0rcZdWr5ykpRkHczuJLGj4Nv7vrP/vyDucG4Nb8aym1GDq4RKe/QgIVJxEQ2Um0QeFm4fGRUwnTj+WXeGSGd1cKcOrGBgSCsUuuxf8bK/ZDM71hbANWIm0KzZkP+sPYBYvOIRzVuJ7VjXHCJqQXieoIW5caNHTpRVok/BQYrIqxaK9sicEQODIeog3fp1eMB5vAfx0CYLVJoScoAZ8mwUszvjVBHrtF3O64GESsExcftnQ0zjIGJqXldfGY5HpxJ0r4g632fkkVvDMAzxCemUbCaqUa3yJIrhMMLPP2s2KtbZ+IlwD+bsY9LxqdwKSR5961pv2LM4ycD6chu6Cr7tVbcdClfCDrq+T3KrmrMQHkpsS0RyVoLfRByBAHqTQzY+zr8zHQs8XBMJKSB0DCBzaADAgESooHFBIHCNQhX5JTLpu2SCfB2Elz4tU4iD2LXmKCTA66/3RmEcCF+fmkyWWu57T1DyzAeLYx5IKYInXRTMPHl0cM4CLxnDi8tjtiWl3vieLU7uFoC6g9OxWdO6Cp91t0Sh7ydurhSGqMnBfRC+fNn/97iM3S7QFI3VW8MFv/FzlnemXW7IEhj2wsPlmEe61iCrvJTsk0gmr2UPIx7Gtyv5MCwsASugxwefrgVuOuZFw2QYn8ZvPw05TAT2nvAl+Znx6mvLkGQcVE=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 190\r\n\r\n{"params": [["adtest.qe"], {"all": false, "realm_passwd": "Secret123", "raw": false, "realm_admin": "Administrator", "version": "2.112", "trust_type": "ad"}], "method": "trust_add", "id": 0}' reply: 'HTTP/1.1 200 Success\r\n' header: Date: Tue, 27 Jan 2015 12:29:39 GMT header: Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.16.2.3 Basic ECC mod_wsgi/3.4 Python/2.7.5 header: Set-Cookie: ipa_session=0ca46d159d0b80c9bf3f465ce09e0efd; Domain=vm-idm-019.ipaviews.test; Path=/ipa; Expires=Tue, 27 Jan 2015 12:50:09 GMT; Secure; HttpOnly header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvNQ1Cbfrc5ZUxr0rDTnwP6zclO5XfNDd2UMLHux5+Lg7xGFJekRyCtjJM6D7G9zyNiQz4eZzKyedWiybaIwGjP8vGLCwnTojhkFWu7RFCwtsbtGxNWBDllHxTq/ECdGQpbYuH1fvYUsAT/nPZDFlm header: Vary: Accept-Encoding header: Content-Encoding: gzip header: Content-Length: 581 header: Content-Type: application/json; charset=utf-8 body: '{\n "error": null, \n "id": 0, \n "principal": "admin", \n "result": {\n "result": {\n "cn": [\n "adtest.qe"\n ], \n "ipantflatname": [\n "ADTEST"\n ], \n "ipantsecurityidentifier": [\n "S-1-5-21-1796645600-2667531414-1194413864-1022"\n ], \n "ipantsidblacklistincoming": [\n "S-1-5-20", \n "S-1-5-3", \n "S-1-5-2", \n "S-1-5-1", \n "S-1-5-7", \n "S-1-5-6", \n "S-1-5-5", \n "S-1-5-4", \n "S-1-5-9", \n "S-1-5-8", \n "S-1-5-17", \n "S-1-5-16", \n "S-1-5-15", \n "S-1-5-14", \n "S-1-5-13", \n "S-1-5-12", \n "S-1-5-11", \n "S-1-5-10", \n "S-1-3", \n "S-1-2", \n "S-1-1", \n "S-' body: '1-0", \n "S-1-5-19", \n "S-1-5-18"\n ], \n "ipantsidblacklistoutgoing": [\n "S-1-5-20", \n "S-1-5-3", \n "S-1-5-2", \n "S-1-5-1", \n "S-1-5-7", \n "S-1-5-6", \n "S-1-5-5", \n "S-1-5-4", \n "S-1-5-9", \n "S-1-5-8", \n "S-1-5-17", \n "S-1-5-16", \n "S-1-5-15", \n "S-1-5-14", \n "S-1-5-13", \n "S-1-5-12", \n "S-1-5-11", \n "S-1-5-10", \n "S-1-3", \n "S-1-2", \n "S-1-1", \n "S-1-0", \n "S-1-5-19", \n "S-1-5-18"\n ], \n "ipantsupportedencryptiontypes": [\n "28"\n ], \n "ipanttrustattributes": [\n "8"\n ], \n "ipanttrustdirection": [\n "3' body: '"\n ], \n "ipanttrusteddomainsid": [\n "S-1-5-21-1910160501-511572375-3625658879"\n ], \n "ipanttrustpartner": [\n "adtest.qe"\n ], \n "ipanttrustposixoffset": [\n "0"\n ], \n "ipanttrusttype": [\n "2"\n ], \n "objectclass": [\n "top", \n "ipaNTTrustedDomain", \n "ipaIDobject"\n ], \n "trustdirection": [\n "Two-way trust"\n ], \n "truststatus": [\n "Established and verified"\n ], \n "trusttype": [\n "Active Directory domain"\n ], \n "uidnumber": [\n "1707800022"\n ]\n }, \n "summary": "Added Active Directory trust for realm \\"adtest.qe\\"", \n "value": "adtest.qe"\n }, \n "version": "4.1.0"\n}' ipa: INFO: Response: { "error": null, "id": 0, "principal": "admin", "result": { "result": { "cn": [ "adtest.qe" ], "ipantflatname": [ "ADTEST" ], "ipantsecurityidentifier": [ "S-1-5-21-1796645600-2667531414-1194413864-1022" ], "ipantsidblacklistincoming": [ "S-1-5-20", "S-1-5-3", "S-1-5-2", "S-1-5-1", "S-1-5-7", "S-1-5-6", "S-1-5-5", "S-1-5-4", "S-1-5-9", "S-1-5-8", "S-1-5-17", "S-1-5-16", "S-1-5-15", "S-1-5-14", "S-1-5-13", "S-1-5-12", "S-1-5-11", "S-1-5-10", "S-1-3", "S-1-2", "S-1-1", "S-1-0", "S-1-5-19", "S-1-5-18" ], "ipantsidblacklistoutgoing": [ "S-1-5-20", "S-1-5-3", "S-1-5-2", "S-1-5-1", "S-1-5-7", "S-1-5-6", "S-1-5-5", "S-1-5-4", "S-1-5-9", "S-1-5-8", "S-1-5-17", "S-1-5-16", "S-1-5-15", "S-1-5-14", "S-1-5-13", "S-1-5-12", "S-1-5-11", "S-1-5-10", "S-1-3", "S-1-2", "S-1-1", "S-1-0", "S-1-5-19", "S-1-5-18" ], "ipantsupportedencryptiontypes": [ "28" ], "ipanttrustattributes": [ "8" ], "ipanttrustdirection": [ "3" ], "ipanttrusteddomainsid": [ "S-1-5-21-1910160501-511572375-3625658879" ], "ipanttrustpartner": [ "adtest.qe" ], "ipanttrustposixoffset": [ "0" ], "ipanttrusttype": [ "2" ], "objectclass": [ "top", "ipaNTTrustedDomain", "ipaIDobject" ], "trustdirection": [ "Two-way trust" ], "truststatus": [ "Established and verified" ], "trusttype": [ "Active Directory domain" ], "uidnumber": [ "1707800022" ] }, "summary": "Added Active Directory trust for realm \"adtest.qe\"", "value": "adtest.qe" }, "version": "4.1.0" } -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |