Bug 1250190

Summary: idrange is not added for sub domain
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: abokovoy, drieden, jcholast, ksiddiqu, mbasti, pvoborni, rcritten, spoore
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-6.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:05:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve Goveas 2015-08-04 17:11:57 UTC 
Description of problem:
When trust is added ipa idrange for AD subdomain is not added

Version-Release number of selected component (if applicable):
[root@vm-idm-014 ~]# rpm -q ipa-server sssd
ipa-server-4.2.0-3.el7.x86_64
sssd-1.13.0-11.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Add trust from IPA server with root AD having a child domain

Actual results:
[root@vm-idm-014 ~]# echo Secret123| ipa trust-add  adtest.qe --admin Administrator --password 
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
(reverse-i-search)`s': echo Secret123| ipa trust-add  adtest.qe --admin Administrator --pas^Cord 

* idrange for pune.adtest.qe is not addded

[root@vm-idm-014 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: STVIDRANGE.TEST_id_range
  First Posix ID of the range: 201000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-014 ~]# ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Expected results:
idrange for child domain is added with trust add

Additional info:
Comment 2 Jan Cholasta 2015-08-05 05:52:32 UTC 
Alexander, do you know what might be causing this?
Comment 3 Alexander Bokovoy 2015-08-05 18:01:36 UTC 
Check audit.log for AVCs, if any. With IPA 4.2 we run over D-Bus a request to oddjobd-activated script that discovers the domains and it requires proper configuration of the SELinux policy.

Also add debugging to smb.conf.empty when establishing trust, to see communication happening.
Comment 4 Alexander Bokovoy 2015-08-05 18:24:37 UTC 
Thanks to Tomas, here is the real reason why it wasn't called. Adding the upstream ticket.
Comment 7 Jan Cholasta 2015-08-06 05:37:06 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5182
Comment 9 Petr Vobornik 2015-08-12 11:07:43 UTC 
should be fixed in bug 1250192
Comment 11 Alexander Bokovoy 2015-08-13 06:23:49 UTC 
Not fixed, we found proper fix and reproducer yesterday with Scott. Moving to ASSIGNED.
Comment 12 Alexander Bokovoy 2015-08-13 06:48:58 UTC 
The issue is in ipa-getkeytab adding key with the same principal and kvno to the TDO keytab instead of overwriting it. As result, /var/lib/sss/keytabs/<trust-forest-root>.keytab contains multiple entries with the same <kvno> <principal> pair and when kinit is performed against the keytab, libkrb5 selects first matching entry, it fails (because it belonged to older trust config which is not valid anymore) and breaks the oddjobd helper.
Comment 13 Alexander Bokovoy 2015-08-16 09:54:10 UTC 
Patch is sent upstream: https://www.redhat.com/archives/freeipa-devel/2015-August/msg00255.html
Comment 15 Martin Bašti 2015-08-18 16:51:41 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3692a1c57f5d404a61a01623ef732234ccbbdffd
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/c30baa9bb9dfa5a5de7685e9203f3eae95dec22a
Comment 16 Petr Vobornik 2015-08-18 17:01:33 UTC 
*** Bug 1250192 has been marked as a duplicate of this bug. ***
Comment 18 Scott Poore 2015-08-19 19:24:21 UTC 
I'm still seeing errors here even with two-way=True:



:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1'
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1'
ipa: ERROR: PUNE.ADTEST.QE_id_range: range not found
:: [   PASS   ] :: Command 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
Comment 19 Scott Poore 2015-08-19 19:26:43 UTC 
Created attachment 1064980 [details]
samba logs
Comment 20 Jan Cholasta 2015-08-24 10:30:25 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1255dbf2fde068787d711c1fb60946a254d1782c
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/e13a5ed26e96436d4a7ebb2329f7f9666581008d
Comment 22 Scott Poore 2015-08-26 18:17:59 UTC 
Verified.

Version ::

ipa-server-4.2.0-7.el7.x86_64


Results ::


:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1'
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1'
  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'systemctl stop sssd; rm -f /var/lib/sss/{db,mc}/*; systemctl start sssd'
:: [   PASS   ] :: Command 'systemctl stop sssd; rm -f /var/lib/sss/{db,mc}/*; systemctl start sssd' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 5'
:: [   PASS   ] :: Command 'sleep 5' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 20'
:: [   PASS   ] :: Command 'sleep 20' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent passwd aduser07'
aduser07:*:1148405487:1148405487:ads07 user:/home/adtest.qe/aduser07:
:: [   PASS   ] :: Command 'getent passwd aduser07' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent passwd subuser07.qe'
subuser07.qe:*:839001111:839001111:subuser07 user:/home/pune.adtest.qe/subuser07:
:: [   PASS   ] :: Command 'getent passwd subuser07.qe' (Expected 0, got 0)

Previously, the idrange-show and getent commands for PUNE.ADTEST.QE failed due to this bug.
Comment 23 errata-xmlrpc 2015-11-19 12:05:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html