Bug 1317635

Summary: ipa trust-find shows sub-domain is broken after successful trust-add
Product: Red Hat Enterprise Linux 7 Reporter: Varun Mylaraiah <mvarun>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: abokovoy, mbasti, pvoborni, rcritten
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-15 15:06:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Logs none

Description Varun Mylaraiah 2016-03-14 17:46:03 UTC
Created attachment 1136230 [details]
Logs

Description of problem:
ipa trust-find shows sub-domain is broken after successful trust-add
And 'getent passwd <ADuser>' not return the user and #id as well

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.10.x86_64

How reproducible:
100%

Steps to Reproduce:
[root@apollo ~]# ipa trust-add --type=ad ipaad2008r2.test --range-type=ipa-ad-trust-posix --admin Administrator --password --two-way=true
Active Directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ipaad2008r2.test"
---------------------------------------------------------
  Realm name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16,
                          S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16,
                          S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@apollo ~]# ipa trust-find
ipa: WARNING: Your trust to ipasub2008r2-1.ipaad2008r2.test is broken. Please re-create it by running 'ipa trust-add' again.
----------------
2 trusts matched
----------------
  Realm name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Trust type: Active Directory domain

  Realm name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
----------------------------
Number of entries returned 2
----------------------------

[root@apollo ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: IPAAD2008R2.TEST_id_range
  First Posix ID of the range: 175000000
  Number of IDs in the range: 200000
  Domain SID of the trusted domain: S-1-5-21-1765444267-4284514389-3232425237
  Range type: Active Directory trust range with POSIX attributes

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 1674800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@apollo ~]# id tuser31416@ipaad2008r2.test
id: tuser31416@ipaad2008r2.test: no such user

[root@apollo ~]# getent passwd tuser31416@ipaad2008r2.test
[root@apollo ~]#

#####################################################
[root@apollo ~]# kinit tuser31416@IPAAD2008R2.TEST
Password for tuser31416@IPAAD2008R2.TEST: 

[root@apollo ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_P0f4rrW
Default principal: tuser31416@IPAAD2008R2.TEST

Valid starting       Expires              Service principal
2016-03-14T13:33:12  2016-03-14T23:33:12  krbtgt/IPAAD2008R2.TEST@IPAAD2008R2.TEST
	renew until 2016-03-15T13:33:08


Additional info:
logs Attached

Comment 1 Petr Vobornik 2016-03-14 17:59:52 UTC
A regression?

Comment 6 Petr Vobornik 2016-03-15 15:06:23 UTC
This is a regression caused by patch for bug 1305533, and bug 1311470 (clone of 1305533).

Let it be fixed there.

*** This bug has been marked as a duplicate of bug 1305533 ***