Bug 1250192
| Summary: | Error in ipa trust-fecth-domains | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Steeve Goveas <sgoveas> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.2 | CC: | abokovoy, jcholast, ksiddiqu, mkosek, pvoborni, rcritten, sgoveas, spoore, tbabej | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.2.0-4.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-08-18 17:01:33 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Steeve Goveas
2015-08-04 17:14:30 UTC
Steeve, there should be a traceback in /var/log/httpd/error_log, could you please paste it here? Jan, here is the traceback from /var/log/httpd/error_log [Wed Aug 05 20:03:14.893060 2015] [:error] [pid 2932] ipa: INFO: [jsonserver_kerb] admin: ping(): SUCCESS [Wed Aug 05 20:03:19.139255 2015] [:error] [pid 2931] ipa: ERROR: non-public: TypeError: unsupported operand type(s) for &: 'list' and 'int' [Wed Aug 05 20:03:19.139306 2015] [:error] [pid 2931] Traceback (most recent call last): [Wed Aug 05 20:03:19.139315 2015] [:error] [pid 2931] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Wed Aug 05 20:03:19.139321 2015] [:error] [pid 2931] result = self.Command[name](*args, **options) [Wed Aug 05 20:03:19.139328 2015] [:error] [pid 2931] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ [Wed Aug 05 20:03:19.139338 2015] [:error] [pid 2931] ret = self.run(*args, **options) [Wed Aug 05 20:03:19.139347 2015] [:error] [pid 2931] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run [Wed Aug 05 20:03:19.139356 2015] [:error] [pid 2931] return self.execute(*args, **options) [Wed Aug 05 20:03:19.139365 2015] [:error] [pid 2931] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 1490, in execute [Wed Aug 05 20:03:19.139375 2015] [:error] [pid 2931] if trust['ipanttrustdirection'] & TRUST_BIDIRECTIONAL != TRUST_BIDIRECTIONAL: [Wed Aug 05 20:03:19.139383 2015] [:error] [pid 2931] TypeError: unsupported operand type(s) for &: 'list' and 'int' [Wed Aug 05 20:03:19.139872 2015] [:error] [pid 2931] ipa: INFO: [jsonserver_kerb] admin: trust_fetch_domains(u'adtest.qe', rights=False, all=False, raw=False, version=u'2.147'): TypeError Upstream ticket: https://fedorahosted.org/freeipa/ticket/5182 Thanks. It looks like there already is a patch for this at freeipa-devel. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7688bbcc33eb24a86ede7dc12ea9c64a27006aa8 ipa-4-2: https://fedorahosted.org/freeipa/changeset/2812242df4fefcb6567dc3a117b5e55a3211de92 I can see this work for two-way trusts (--two-way=True) but, I'm still seeing issues with one-way trusts:
[root@vm-idm-011 log]# echo Secret123 | ipa -d trust-add adtest.qe --admin Administrator --password
...cutting out the debugging output...
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
Realm name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1,
S-1-0, S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1,
S-1-0, S-1-5-19, S-1-5-18
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
[root@vm-idm-011 log]# ipa idrange-show PUNE.ADTEST.QE_id_range
ipa: ERROR: PUNE.ADTEST.QE_id_range: range not found
[root@vm-idm-011 log]# ipa trust-fetch-domains adtest.qe
s adtest.qe
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@vm-idm-011 log]# ipa trustdomain-find adtest.qe
Domain name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
Created attachment 1062115 [details]
trust-fetch-domain that Alexander fixed
Attaching the fixed version of trust-fetch-domain that Alexander Bokovoy provided.
I suspect we should close this bug and continue work on a unidirectional trust in bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190, there is no need to keep two bugs to the same cause anymore. Sure, that works for me. Just mark it as duplicate of 1250190? Steeve, any reason not to do that? marking as duplicate as suggested in comment 10 and comment 11 *** This bug has been marked as a duplicate of bug 1250190 *** |