Bug 1356899

Summary:	com.redhat.idm.trust.fetch_domains need update after thin client changes
Product:	Red Hat Enterprise Linux 7	Reporter:	Sudhir Menon <sumenon>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED ERRATA	QA Contact:	Kaleem <ksiddiqu>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	mbasti, pvoborni, rcritten
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.4.0-5.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-04 05:58:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1361636
Bug Blocks:

Description Sudhir Menon 2016-07-15 08:59:39 UTC

Description of problem: com.redhat.idm.trust.fetch_domains need update after thin client changes


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.4.0-1.el7.x86_64
ipa-server-dns-4.4.0-1.el7.noarch
ipa-server-common-4.4.0-1.el7.noarch
ipa-server-4.4.0-1.el7.x86_64

How reproducible:Always

Steps to Reproduce:
1. Ensure selinux is disabled on the IPA_server
2. Install IPA server
3. Establish one-way trust with forest root domain e.g pne.qe
4. Ensure trust is established without any errors.
5. Now run the below command

oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

Actual results:
Traceback (most recent call last):
  File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 127, in <module>
    api.Backend.ldap2.connect(ccache_name)
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 330, in __getattr__
    raise AttributeError(key)
AttributeError: ldap2

Expected results: Fix the traceback.

Additional info: This issue was seen when testing UPN Suffixes which were not getting displayed using ipa trust-show command and the same was displayed for two-way trust.

[root@server samba]# ipa trust-show pne.qe
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Trusting forest
  Trust type: Active Directory domain

[root@server samba]# ipa trust-show pne.qe
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  UPN suffixes: qa.in, qa.io, qa.pne, qa.test, qa.org, test.qa

Comment 1 Petr Vobornik 2016-07-15 09:06:44 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6082

Comment 2 Martin Bašti 2016-07-19 12:12:42 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b144bf527db76573590255d4ac80e9dfd813ba3d

Comment 5 Martin Bašti 2016-07-29 14:43:51 UTC

I'll provide patch that fixing traceback on IPA side, but this is mainly SELinux issue.

It should raise: 'Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server' until SElinux policy is fixed.

Comment 6 Martin Bašti 2016-07-29 15:07:59 UTC

Because I see in steps to reproduce that SElinux should be disabled, do you know if there is selinux bug opened for this or should I open the one?

Comment 7 Martin Bašti 2016-07-29 15:11:39 UTC

Traceback fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c2edfa0adbc1a603a146aa44d73a4024e06063f0


I will open separate BZ for SElinux

Comment 9 Sudhir Menon 2016-08-09 17:51:16 UTC

Martin,

Here are the observations with the below rpms.

ipa-server-4.4.0-5.el7.x86_64

1. With SELinux in enforcing mode the issue is still seen.
Depends on BZ1361636  to be fixed.

[root@master network-scripts]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
com.redhat.oddjob.Error.Exec: Child signalled exec() error: Permission denied

2. With SELinux in permissive mode the traceback is still seen although the message as mentioned in comment #5 does appear.

[root@ipaserver ~]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
Traceback (most recent call last):
  File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 174, in <module>
    trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1684, in add_new_domains_from_trust
    trust_name, name, **dom)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 435, in add_range
    ipanttrusteddomainsid=dom_sid)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1181, in execute
    *keys, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/idrange.py", line 468, in pre_callback
    entry_attrs['ipanttrusteddomainsid'])
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/idrange.py", line 341, in validate_trusted_domain_sid
    domain_validator = self.get_domain_validator()
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/idrange.py", line 326, in get_domain_validator
    raise errors.NotFound(reason=_('Cannot perform SID validation '
ipalib.errors.NotFound: Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server

Comment 10 Martin Bašti 2016-08-10 10:10:34 UTC

As I wrote in comment #5, until SElinux-policy is not fixed you will see tracebacks. Please retest when bz1361636 will be fixed.

Comment 11 Sudhir Menon 2016-08-11 07:53:54 UTC

Observation:

The traceback has been fixed, however there is error displayed when the 'oddjob_request' command is run permissive mode. So have reopened bz1361636. 
Once that is fixed, will close this bug.

[root@master ~]# getenforce 
Enforcing
[root@master ~]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

[root@master ~]# setenforce 0
[root@master ~]# getenforce 
Permissive
[root@master ~]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
com.redhat.oddjob.Error.Exec: Child signalled exec() error: error setting helper execution SELinux context.

===audit.log===
type=SYSCALL msg=audit(1470901858.780:305): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=7f6b7e0f7f90 a2=5a a3=7ffe7b6caa30 items=0 ppid=9517 pid=10197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
type=MAC_STATUS msg=audit(1470901885.109:306): enforcing=0 old_enforcing=1 auid=0 ses=1
type=SYSCALL msg=audit(1470901885.109:306): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7ffef4c81680 a2=1 a3=7ffef4c81400 items=0 ppid=2037 pid=10200 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1470901896.398:307): op=security_compute_sid invalid_context=unconfined_u:unconfined_r:ipa_helper_t:s0-s0:c0.c1023 scontext=unconfined_u:unconfined_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ipa_helper_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1470901896.398:307): arch=c000003e syscall=1 success=yes exit=90 a0=4 a1=7f6b7e0f7f90 a2=5a a3=7ffe7b6caa30 items=0 ppid=9517 pid=10203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)

Comment 12 Sudhir Menon 2016-08-17 17:46:27 UTC

Observations:

1. Traceback message is fixed when oddjob_request command is run
2. There is no more error displayed when the 'oddjob_request' command is run permissive mode.

Verified on RHEL7.3 using 
ipa-server-4.4.0-7.el7.x86_64
libselinux-2.5-5.el7.x86_64
selinux-policy-3.13.1-94.el7.noarch
selinux-policy-targeted-3.13.1-94.el7.noarch

[root@ipaserver abrt]# getenforce 
Enforcing
[root@ipaserver abrt]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

[root@ipaserver abrt]# setenforce 0
[root@ipaserver abrt]# getenforce 
Permissive

[root@ipaserver abrt]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

Comment 14 errata-xmlrpc 2016-11-04 05:58:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html