Bug 1371915
Summary: | When establishing external two-way trust, forest root Administrator account is used to fetch domain info | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Bašti <mbasti> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | lmiksik, mbabinsk, pvoborni, rcritten, sumenon | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-4.4.0-10.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-11-04 06:02:37 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1375269 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Martin Bašti
2016-08-31 12:25:25 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f32e0e4e522e09390f4295dd79f52d7a48877d3a Tested on RHEL7.3 using ipa-server-trust-ad-4.4.0-11.el7.x86_64 ipa-server-4.4.0-11.el7.x86_64 1.DomainAdmins (administrator) account has different password for test.qa and chd.pne.qe in the test env. Actual Steps:- 1. External trust to tree-root domain [root@master ~]# ipa trust-add --two-way=true --external=true Realm name: test.qa Active Directory domain administrator: administrator Active Directory domain administrator's password: ------------------------------------------------ Added Active Directory trust for realm "test.qa" ------------------------------------------------ Realm name: test.qa Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812 Trust direction: Two-way trust Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified 2. External trust to child domain [root@master ~]# ipa trust-add --two-way=true --external=true Realm name: chd.pne.qe Active Directory domain administrator: Administrator Active Directory domain administrator's password: --------------------------------------------------- Added Active Directory trust for realm "chd.pne.qe" --------------------------------------------------- Realm name: chd.pne.qe Domain NetBIOS name: CHD Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349 Trust direction: Two-way trust Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified [root@master ~]# ipa trustdomain-find Realm name: chd.pne.qe Domain name: chd.pne.qe Domain NetBIOS name: CHD Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# ipa trustdomain-find Realm name: test.qa Domain name: test.qa Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- Note: ipa trust-fetch-domains already has a bug #1375269 which will be verified once that is fixed. Created attachment 1201793 [details]
http error log
1. [root@master httpd]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: test.qa
Domain NetBIOS name: TEST
Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
Trust type: Non-transitive external trust to a domain in another Active Directory forest
UPN suffixes: qa.org
----------------------------
Number of entries returned 1
----------------------------
1. [root@master httpd]# ipa trust-fetch-domains
Realm name: test.qa
--------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
--------------------------------------------------------------------------------
Number of entries returned 0
----------------------------
2. Attached, httpd error log doesnot contain unsuccessful kinit as root domain administrator
Verified on RHEL73 using ipa-server-4.4.0-12.el7.x86_64 ipa-server-trust-ad-4.4.0-12.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |