Bug 1438366

Summary: ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: abokovoy, ksiddiqu, pvoborni, rcritten, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2017-04-03 08:45:11 UTC 
Description of problem: ipa trust-fetch-domains command displays 'ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication'

Version-Release number of selected component (if applicable):
ipa-server-dns-4.5.0-4.el7.noarch
ipa-server-trust-ad-4.5.0-4.el7.x86_64
ipa-server-common-4.5.0-4.el7.noarch
ipa-server-4.5.0-4.el7.x86_64
samba-4.6.2-0.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Add trust
[root@autohv01 ~]# ipa trust-add --two-way=true

2. ipa trustdomain-find
[root@autohv01 ~]# ipa trustdomain-find ipaad2008r2.test
  Domain name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Domain enabled: True
 
  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

3.ipa trustdomain-disable ipaad2008r2.test ipasub2008r2-1.ipaad2008r2.test
-------------------------------------------------------
Disabled trust domain "ipasub2008r2-1.ipaad2008r2.test"
-------------------------------------------------------
  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------

4. [root@autohv01 ~]# ipa trust-fetch-domains ipaad2008r2.test

Actual results:
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$0878133d...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$0878133d.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R;'
ipa: INFO: trying https://autohv01.testreal.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_52203344
ipa: DEBUG: raw: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
ipa: DEBUG: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
ipa: INFO: Forwarding 'trust_fetch_domains/1' to json server 'https://autohv01.testreal.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (autohv01.testreal.test)
ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R&expiry=1491208631328301;Max-Age=1800;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_52203344
ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication

2. /var/log/httpd/error_log
[Mon Apr 03 04:21:11.665932 2017] [:warn] [pid 31808] [client 2620:52:0:1322:5054:ff:fef8:fbe4:48266] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin)!, referer: https://autohv01.testreal.test/ipa/xml
[Mon Apr 03 04:21:11.667158 2017] [:error] [pid 31804] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Mon Apr 03 04:21:11.667218 2017] [:error] [pid 31804] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Mon Apr 03 04:21:11.678497 2017] [:error] [pid 31804] ipa: DEBUG: Created connection context.ldap2_93915247484880
[Mon Apr 03 04:21:11.678547 2017] [:error] [pid 31804] ipa: DEBUG: WSGI jsonserver.__call__:
[Mon Apr 03 04:21:11.678578 2017] [:error] [pid 31804] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Mon Apr 03 04:21:11.683516 2017] [:error] [pid 31804] ipa: DEBUG: raw: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
[Mon Apr 03 04:21:11.683657 2017] [:error] [pid 31804] ipa: DEBUG: trust_fetch_domains(u'ipaad2008r2.test', rights=False, all=False, raw=False, version=u'2.224')
[Mon Apr 03 04:21:11.683920 2017] [:error] [pid 31804] ipa: DEBUG: raw: adtrust_is_enabled(version=u'2.224')
[Mon Apr 03 04:21:11.683988 2017] [:error] [pid 31804] ipa: DEBUG: adtrust_is_enabled(version=u'2.224')
[Mon Apr 03 04:21:11.686732 2017] [:error] [pid 31804] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTREAL-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x556a5ad20248>
[Mon Apr 03 04:21:11.923133 2017] [:error] [pid 31804] ipa: DEBUG: raw: trust_show(u'ipaad2008r2.test', all=True, raw=True, version=u'2.224')
[Mon Apr 03 04:21:11.923295 2017] [:error] [pid 31804] ipa: DEBUG: trust_show(u'ipaad2008r2.test', rights=False, all=True, raw=True, version=u'2.224')
[Mon Apr 03 04:21:12.159803 2017] [:error] [pid 31804] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Mon Apr 03 04:21:12.159830 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Mon Apr 03 04:21:12.159831 2017] [:error] [pid 31804]     result = command(*args, **options)
[Mon Apr 03 04:21:12.159832 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Mon Apr 03 04:21:12.159834 2017] [:error] [pid 31804]     return self.__do_call(*args, **options)
[Mon Apr 03 04:21:12.159836 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Mon Apr 03 04:21:12.159837 2017] [:error] [pid 31804]     ret = self.run(*args, **options)
[Mon Apr 03 04:21:12.159838 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Mon Apr 03 04:21:12.159839 2017] [:error] [pid 31804]     return self.execute(*args, **options)
[Mon Apr 03 04:21:12.159841 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1776, in execute
[Mon Apr 03 04:21:12.159842 2017] [:error] [pid 31804]     res = fetch_domains_from_trust(self.api, trustinstance, **options)
[Mon Apr 03 04:21:12.159844 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1661, in fetch_domains_from_trust
[Mon Apr 03 04:21:12.159845 2017] [:error] [pid 31804]     server=server)
[Mon Apr 03 04:21:12.159846 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1433, in fetch_domains
[Mon Apr 03 04:21:12.159847 2017] [:error] [pid 31804]     error=_('Missing credentials for '
[Mon Apr 03 04:21:12.159848 2017] [:error] [pid 31804] ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
[Mon Apr 03 04:21:12.159849 2017] [:error] [pid 31804] 
[Mon Apr 03 04:21:12.159995 2017] [:error] [pid 31804] ipa: INFO: [jsonserver_session] admin: trust_fetch_domains/1(u'ipaad2008r2.test', version=u'2.224'): ValidationError
[Mon Apr 03 04:21:12.160750 2017] [:error] [pid 31804] ipa: DEBUG: Destroyed connection context.ldap2_93915247484880

Expected results: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication should be fixed.
Comment 3 Petr Vobornik 2017-04-03 11:05:59 UTC 
Do I get it right that the issue is that you got:

ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication

But expected:
ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication should be fixed.

And I'll assume that "should be fixed" was not part of the message.

Is it correct?
Comment 4 Sudhir Menon 2017-04-03 11:16:13 UTC 
Petr,
Sorry for the confusion here.

Actual Result:-
When "ipa trust-fetch-domains domainname" command is run below message is displayed on the console and httpd error log file.

===Console Output===
i.e "ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication"

===/var/log/httpd/error_log===
ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication

Expected Result:-
When the command is run, rather than the error message it should display proper output like below depending on whether there is new domain to be fetched or not.

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
New trust domains were found
-------------------------------
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
Comment 5 Alexander Bokovoy 2017-04-05 09:41:22 UTC 
Yes, we should stop special casing two-way trust and simply redirect all activities that require HTTP/.. principal's TGT to oddjobd helper.
Comment 6 Petr Vobornik 2017-04-11 12:17:51 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6866
Comment 7 Petr Vobornik 2017-04-11 12:25:37 UTC 
Should be fixed together with bug 1438348 use the commits bellow:

Fixed upstream
master:
https://pagure.io/freeipa/c/aef77b3529540ad12939a2cc54996c341c5d49d3
https://pagure.io/freeipa/c/e560899cce20ca7773a5ce46a1c29db1349e8ec7
ipa-4-5:
https://pagure.io/freeipa/c/bbb23fc87a51218960d54f9eccc23405c5c5ded6
https://pagure.io/freeipa/c/45e1998c51e281c8371ae31762016cb1ddec406f
Comment 9 Sudhir Menon 2017-05-15 12:50:02 UTC 
Verified on RHEL7.4 using

ipa-server-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
sssd-1.15.2-29.el7.x86_64

[root@master ~]# ipa trust-add --two-way=true
Realm name: pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master ~]# ipa trustdomain-find pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-1608447083-2050507822-1235286152
  Domain enabled: True

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
[root@master ~]# ipa trustdomain-disable pne.qe chd.pne.qe
----------------------------------
Disabled trust domain "chd.pne.qe"
----------------------------------
[root@master ~]# ipa trust-fetch-domains pne.qe
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@master ~]# ipa trustdomain-find pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-1608447083-2050507822-1235286152
  Domain enabled: False

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
Comment 10 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304