Bug 1438348

Summary: Console output message while adding trust should be mapped with texts changed in Samba.
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Varun Mylaraiah <mvarun>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: abokovoy, frenaud, ksiddiqu, mbasti, mvarun, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2017-04-03 07:19:30 UTC 
Description of problem: Console output message while adding trust should be mapped with texts changed in Samba.


Version-Release number of selected component (if applicable):
ipa-server-dns-4.5.0-4.el7.noarch
ipa-server-trust-ad-4.5.0-4.el7.x86_64
ipa-server-common-4.5.0-4.el7.noarch
ipa-server-4.5.0-4.el7.x86_64
samba-4.6.2-0.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add trust with invalid server name in server option

e.g zombie.ipaad2008r2.test is invalid hostname.

echo Secret123 | ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password --two-way=True --server=zombie.ipaad2008r2.test


Actual results:
:: [   FAIL   ] :: Command 'echo Secret123 | ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password --two-way=True --server=zombie.ipaad2008r2.test > /tmp/tmp.qniioRNx3B/tmpout.trust_cli_0003.out 2>&1' (Expected 2, got 1)
:: [   FAIL   ] :: File '/tmp/tmp.qniioRNx3B/tmpout.trust_cli_0003.out' should contain 'ipa: ERROR: Cannot find specified domain or server name' 
:: [   FAIL   ] :: Command 'echo -e "Secret123\nAdministrator" | ipa trust-add --type=ad --admin Administrator --password --two-way=True --server=zombie.ipaad2008r2.test > /tmp/tmp.qniioRNx3B/tmpout.trust_cli_0003.out 2>&1' (Expected 2, got 1)
:: [   FAIL   ] :: File '/tmp/tmp.qniioRNx3B/tmpout.trust_cli_0003.out' should contain 'ipa: ERROR: Cannot find specified domain or server name' 
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 0 good, 4 bad
:: [   FAIL   ] :: RESULT: Add trust with invalid server name in server option

[root@autohv01 ~]# echo Secret123 | ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password --two-way=True --server=zombie.ipaad2008r2.test
ipa: ERROR: CIFS server communication error: code "None", message "(-1073741772, 'The object name is not found.')" (both may be "None")

[root@autohv01 ~]# echo $?
1

Expected results:
Earlier the output was displayed as below which was more specific rather than the error code.

ipa: ERROR: Cannot find specified domain or server name
echo $?
2
Comment 3 Sudhir Menon 2017-04-03 11:01:54 UTC 
Similarly for the below testcase scenario, the output has changed.

===trust add failing when NetBIOS name misconfigured should display correct message, bz867442 ===

Earlier:-
echo **** | ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password --two-way=True
ipa: ERROR: invalid 'AD Trust Setup': the IPA server and the remote domain cannot share the same NetBIOS name: IPAAD2008R2

Now:-
[root@autohv01 httpd]# echo *** | ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password --two-way=True
ipa: ERROR: CIFS server communication error: code "None", message "(-1073741772, 'The object name is not found.')" (both may be "None")
Comment 4 Petr Vobornik 2017-04-03 11:23:27 UTC 
Alexander, your PR https://github.com/freeipa/freeipa/pull/682 addresses this issue right?
Comment 6 Alexander Bokovoy 2017-04-03 12:02:22 UTC 
(In reply to Petr Vobornik from comment #4)
> Alexander, your PR https://github.com/freeipa/freeipa/pull/682 addresses
> this issue right?

Yes, this is exactly for the issues described in this bug (description + comment #3). I was waiting for Sudhir to file this bug.
Comment 7 Sudhir Menon 2017-04-04 12:30:59 UTC 
Issue mentioned in comment #3 was tried manually again and i see that the correct messages is displayed instead of the error code.

<snip> 
Server host name [autohv01.testreal.test]:
Warning: skipping DNS resolution of host autohv01.testreal.test
The domain name has been determined based on the host name.
Please confirm the domain name [testreal.test]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [TESTREAL.TEST]: 

[root@autohv01 samba]# /usr/sbin/ipa-adtrust-install --netbios-name=IPAAD2008R2

[root@autohv01 samba]# ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password 
ipa: ERROR: invalid 'AD Trust Setup': the IPA server and the remote domain cannot share the same NetBIOS name: IPAAD2008R2
Comment 8 Petr Vobornik 2017-04-10 10:25:19 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6859
Comment 9 Martin Bašti 2017-04-11 12:18:29 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/aef77b3529540ad12939a2cc54996c341c5d49d3
https://pagure.io/freeipa/c/e560899cce20ca7773a5ce46a1c29db1349e8ec7
ipa-4-5:
https://pagure.io/freeipa/c/bbb23fc87a51218960d54f9eccc23405c5c5ded6
https://pagure.io/freeipa/c/45e1998c51e281c8371ae31762016cb1ddec406f
Comment 11 Sudhir Menon 2017-05-29 18:12:58 UTC 
Tested on RHEL7.4 using 

[root@autohv02 ~]# rpm -q ipa-server 389-ds-base sssd selinux-policy krb5-server pki-server
ipa-server-4.5.0-13.el7.x86_64
389-ds-base-1.3.6.1-15.el7.x86_64
sssd-1.15.2-37.el7.x86_64
selinux-policy-3.13.1-152.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
pki-server-10.4.1-6.el7.noarch


1. With incorrect server name

[root@autohv02 ~]# ipa trust-add --type=ad ipaad2008r2.test --admin Administrator --password --two-way=True --server=zombie.ipaad2008r2.test
Active Directory domain administrator's password: 
ipa: ERROR: Cannot find specified domain or server name
[root@autohv02 ~]# echo $?
2

2. With same NETBIOS name that of AD

[root@autohv02 ~]# ipa-adtrust-install --netbios-name=IPAAD2008R2

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password: 

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: 

Current NetBIOS domain name is TRUSTCLI, new name is IPAAD2008R2.

Please note that changing the NetBIOS name might break existing trust relationships.
Say 'yes' if the NetBIOS shall be changed and 'no' if the old one shall be kept.
Do you want to reset the NetBIOS domain name? [no]:
Comment 12 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304