Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1391814

Summary: ipa trust-fetch-domains <domainname> returns correct output with exit status as 1
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: pasik, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-16 15:32:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Debug output for ipa trust-fetch-domains command
none
http error log none

Description Sudhir Menon 2016-11-04 06:12:04 UTC 
Description of problem: ipa trust-fetch-domains <domainname> returns correct output with exit status as 1


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-12.el7.x86_64

How reproducible: Always


Steps to Reproduce:

1. Install IPA server and establish two-way trust with windows AD having subdomain.

2. Now run ipa trust-fetch-domains <domainname> and check the output on the console.

Actual results:

[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# ipa trustdomain-find
Realm name: ipaad2008r2.test
  Domain name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Domain enabled: True

  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@master ~]# echo $?
1


3. Highlighting the failed testcase in beaker which expects return code 0.

========
:: [   LOG    ] :: Fetch trust domains with valid realm default enable all
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ipa trustdomain-find ipaad2008r2.test ipasub2008r2-1.ipaad2008r2.test' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ipa idrange-find IPASUB2008R2-1.IPAAD2008R2.TEST_id_range > /tmp/tmp.MDcNn6KvWX/tmpout.trustdomain_cli_0018.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.MDcNn6KvWX/tmpout.trustdomain_cli_0018.out' should contain 'Range name: IPASUB2008R2-1.IPAAD2008R2.TEST_id_range' 
:: [   PASS   ] :: File '/tmp/tmp.MDcNn6KvWX/tmpout.trustdomain_cli_0018.out' should contain 'Range type: Active Directory domain range' 
:: [   PASS   ] :: Command 'sleep 10' (Expected 0, got 0)
:: [   LOG    ] :: Checking kadmin is fully up
:: [   PASS   ] :: Command 'date' (Expected 0, got 0)
:: [   LOG    ] :: kadmin is up
:: [   PASS   ] :: Command 'date' (Expected 0, got 0)

**************
:: [   FAIL   ] :: Command 'ipa trust-fetch-domains ipaad2008r2.test > /tmp/tmp.MDcNn6KvWX/tmpout.trustdomain_cli_0018.out 2>&1' (Expected 0, got 1) 
**************
 
:: [   PASS   ] :: File '/tmp/tmp.MDcNn6KvWX/tmpout.trustdomain_cli_0018.out' should contain 'No new trust domains were found' 
:: [   PASS   ] :: File '/tmp/tmp.MDcNn6KvWX/tmpout.trustdomain_cli_0018.out' should contain 'Number of entries returned 0' 
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 1m 16s
:: [   LOG    ] :: Assertions: 12 good, 1 bad
:: [   FAIL   ] :: RESULT: Fetch trust domains with valid realm default enable all

Expected results: Exit status should be 0 if the output is displayed correctly.
without any error.

Additional info: Attaching the httpd error log and debug output for the command when it was run.
Comment 1 Sudhir Menon 2016-11-04 06:14:41 UTC 
Created attachment 1217292 [details]
Debug output for ipa trust-fetch-domains command
Comment 2 Sudhir Menon 2016-11-04 06:17:04 UTC 
Created attachment 1217293 [details]
http error log
Comment 5 Martin Babinsky 2016-11-08 13:27:30 UTC 
I do not think this is a regression since the same behavior can be traced back to RHEL 7.2 (ipa-server-4.2.0-15.el7_2.18.x86_64).

'ipa trust-fetch-domains' actually always returns 1 for one-way trusts regardless of whether the list of trust-domains was refreshed or not and we should fix that.
Comment 6 Petr Vobornik 2016-11-11 15:23:26 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6478
Comment 7 Petr Vobornik 2017-03-28 07:44:54 UTC 
Removing regression keyword based on comment 5.
Comment 9 Petr Vobornik 2018-02-16 15:32:00 UTC 
An upstream ticket was closed as. Returning Non-0 when the list is empty is an expected behavior.

See https://pagure.io/freeipa/issue/325