Bug 1391328

Summary: Traceback seen in error_log when trustdomain-find command is run for trusted child domain
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: mkosek, pasik, pcech, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 14:15:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Sudhir Menon 2016-11-03 06:39:30 UTC 
Description of problem: Traceback seen in error_log when trustdomain-find command is run


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-12.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Establish two-way trust with windows AD having a child domain.

#ipa trust-add --two-way=true

2. Run the below command 
[root@master ~]# ipa trustdomain-find ipasub2008r2-1.ipaad2008r2.test

Actual results:

1. [root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

2. [root@master ~]# ipa trustdomain-find ipaad2008r2.test
  Domain name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Domain enabled: True

  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

3. [root@master ~]# ipa trustdomain-find ipasub2008r2-1.ipaad2008r2.test
ipa: ERROR: ipasub2008r2-1.ipaad2008r2.test: trust not found

4. httpd error_log when debug=true in /etc/ipa/default.conf

    [Thu Nov 03 11:57:15.832147 2016] [:error] [pid 7362] ipa: INFO: *** PROCESS START ***
    [Thu Nov 03 11:57:15.837023 2016] [:error] [pid 7363] ipa: INFO: *** PROCESS START ***
    [Thu Nov 03 11:57:25.814594 2016] [:error] [pid 7362] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
    [Thu Nov 03 11:57:25.814704 2016] [:error] [pid 7362] ipa: DEBUG: WSGI jsonserver_session.__call__:
    [Thu Nov 03 11:57:25.814971 2016] [:error] [pid 7362] ipa: DEBUG: found session cookie_id = 3f8b976b2dd0d791dfe9850f4ba8eb8a
    [Thu Nov 03 11:57:25.816562 2016] [:error] [pid 7362] ipa: DEBUG: found session data in cache with id=3f8b976b2dd0d791dfe9850f4ba8eb8a
    [Thu Nov 03 11:57:25.816953 2016] [:error] [pid 7362] ipa: DEBUG: jsonserver_session.__call__: session_id=3f8b976b2dd0d791dfe9850f4ba8eb8a start_timestamp=2016-11-03T11:16:05 access_timestamp=2016-11-03T11:57:25 expiration_timestamp=2016-11-03T12:15:27
    [Thu Nov 03 11:57:25.817044 2016] [:error] [pid 7362] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_7362"
    [Thu Nov 03 11:57:25.828550 2016] [:error] [pid 7362] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1478195411.83 expiration=1478155645.83 (2016-11-03T12:17:25)
    [Thu Nov 03 11:57:25.890465 2016] [:error] [pid 7362] ipa: DEBUG: Created connection context.ldap2_140537981179024
    [Thu Nov 03 11:57:25.890574 2016] [:error] [pid 7362] ipa: DEBUG: WSGI jsonserver.__call__:
    [Thu Nov 03 11:57:25.890644 2016] [:error] [pid 7362] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
    [Thu Nov 03 11:57:25.903271 2016] [:error] [pid 7362] ipa: DEBUG: raw: trustdomain_find(u'ipasub2008r2-1.ipaad2008r2.test', None, version=u'2.213')
    [Thu Nov 03 11:57:25.903656 2016] [:error] [pid 7362] ipa: DEBUG: trustdomain_find(u'ipasub2008r2-1.ipaad2008r2.test', None, all=False, raw=False, version=u'2.213', pkey_only=False)
    [Thu Nov 03 11:57:25.920602 2016] [:error] [pid 7362] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fd189845a28>
    [Thu Nov 03 11:57:26.676093 2016] [:error] [pid 7362] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
    [Thu Nov 03 11:57:26.676132 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in wsgi_execute
    [Thu Nov 03 11:57:26.676136 2016] [:error] [pid 7362]     result = command(*args, **options)
    [Thu Nov 03 11:57:26.676138 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
    [Thu Nov 03 11:57:26.676141 2016] [:error] [pid 7362]     return self.__do_call(*args, **options)
    [Thu Nov 03 11:57:26.676143 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
    [Thu Nov 03 11:57:26.676146 2016] [:error] [pid 7362]     ret = self.run(*args, **options)
    [Thu Nov 03 11:57:26.676149 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Thu Nov 03 11:57:26.676151 2016] [:error] [pid 7362]     return self.execute(*args, **options)
[Thu Nov 03 11:57:26.676154 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1961, in execute
[Thu Nov 03 11:57:26.676156 2016] [:error] [pid 7362]     base_dn = self.api.Object[self.obj.parent_object].get_dn(*keys)
[Thu Nov 03 11:57:26.676159 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 604, in get_dn
[Thu Nov 03 11:57:26.676161 2016] [:error] [pid 7362]     self.handle_not_found(keys[-1])
[Thu Nov 03 11:57:26.676164 2016] [:error] [pid 7362]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 759, in handle_not_found
[Thu Nov 03 11:57:26.676166 2016] [:error] [pid 7362]     'pkey': pkey, 'oname': self.object_name,
[Thu Nov 03 11:57:26.676169 2016] [:error] [pid 7362] NotFound: ipasub2008r2-1.ipaad2008r2.test: trust not found
[Thu Nov 03 11:57:26.676171 2016] [:error] [pid 7362]
[Thu Nov 03 11:57:26.676357 2016] [:error] [pid 7362] ipa: INFO: [jsonserver_session] admin: trustdomain_find/1(u'ipasub2008r2-1.ipaad2008r2.test', None, version=u'2.213'): NotFound
[Thu Nov 03 11:57:26.676838 2016] [:error] [pid 7362] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_7362"
[Thu Nov 03 11:57:26.677244 2016] [:error] [pid 7362] ipa: DEBUG: store session: session_id=3f8b976b2dd0d791dfe9850f4ba8eb8a start_timestamp=2016-11-03T11:16:05 access_timestamp=2016-11-03T11:57:26 expiration_timestamp=2016-11-03T12:17:25
[Thu Nov 03 11:57:26.682376 2016] [:error] [pid 7362] ipa: DEBUG: Destroyed connection context.ldap2_140537981179024

Expected results: Fix the traceback in error_log and also should display correct output on the console.

Additional info: Seems to be related to bz138970, but logging this bug since the issue is seen for different command.
Comment 3 Martin Babinsky 2016-11-08 11:56:07 UTC 
I have observed a similar traceback on RHEL 7.2 (ipa-server-4.2.0-15.el7_2.19.x86_64) also so I am inclined to think that this is not a regression as it seems that the command never handled this case correctly.

However it would be nice to fix the traceback. A correct behavior in trustdomain-find should be to find 0 entries in this case.
Comment 4 Petr Vobornik 2016-11-11 15:17:34 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6477
Comment 10 Petr Čech 2020-11-30 14:15:14 UTC 
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team