Bug 1509288
Summary: | IPA trust-add internal error (expected security.dom_sid got None) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | josip.domsic+bugzilla | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.4 | CC: | abokovoy, enewland, josip.domsic+bugzilla, ksiddiqu, mvarun, pasik, pvoborni, rcritten, tscherf | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-4.5.4-7.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-04-10 16:48:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
josip.domsic+bugzilla
2017-11-03 13:32:09 UTC
Can you please attach full error_log? It would be good to add 'log level = 50' to /usr/share/ipa/smb.conf.empty and re-do 'ipa trust-add'. Created attachment 1349398 [details]
Apache error log file. Generated after failed to generate trust
Comment on attachment 1349398 [details]
Apache error log file. Generated after failed to generate trust
Thank you. This confirms my suspicion. Did you attempt to create a trust before from AD side using "trust to MIT Kerberos"?
We get back information that trust to IPA domain exists but no SID is assigned to the IPA domain. This only happens when AD is trying to set up trust to MIT Kerberos. However, we do not support this type of trust in IPA, thus a failure. In addition, we cannot delete this trust record using LSA RPC calls because lsarDeleteTrustedDomain() requires SID which does not exist in this entry.
So I think the only way to handle this situation is to fail with an error message telling a user to delete IPA domain from list of trusts on AD side manually because trust type is wrong.
lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
out: struct lsa_QueryTrustedDomainInfoByName
info : *
info : *
info : union lsa_TrustedDomainInfo(case 8)
full_info: struct lsa_TrustDomainInfoFullInfo
info_ex: struct lsa_TrustDomainInfoInfoEx
domain_name: struct lsa_StringLarge
length : 0x0022 (34)
size : 0x0024 (36)
string : *
string : 'ipa.rl.ldap.local'
netbios_name: struct lsa_StringLarge
length : 0x0022 (34)
size : 0x0024 (36)
string : *
string : 'ipa.rl.ldap.local'
sid : NULL
trust_direction : 0x00000003 (3)
1: LSA_TRUST_DIRECTION_INBOUND
1: LSA_TRUST_DIRECTION_OUTBOUND
trust_type : LSA_TRUST_TYPE_MIT (3)
trust_attributes : 0x00000001 (1)
1: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
posix_offset: struct lsa_TrustDomainInfoPosixOffset
posix_offset : 0x00000000 (0)
auth_info: struct lsa_TrustDomainInfoAuthInfo
incoming_count : 0x00000000 (0)
incoming_current_auth_info: NULL
incoming_previous_auth_info: NULL
outgoing_count : 0x00000000 (0)
outgoing_current_auth_info: NULL
outgoing_previous_auth_info: NULL
result : NT_STATUS_OK
Thank you so much! Deleting trusts on AD side helped. Upstream ticket: https://pagure.io/freeipa/issue/7264 master: 956e265 ipaserver/plugins/trust.py; fix some indenting issues a57f613 trust: detect and error out when non-AD trust with IPA domain name exists c19eb49 ipaserver/plugins/trust.py: pep8 compliance ipa-4-5: 44524b1 ipaserver/plugins/trust.py; fix some indenting issues 365967f trust: detect and error out when non-AD trust with IPA domain name exists e71f52f ipaserver/plugins/trust.py: pep8 compliance ipa-4-6: 0ea2e7e ipaserver/plugins/trust.py; fix some indenting issues c34c1da trust: detect and error out when non-AD trust with IPA domain name exists 31c2b1d ipaserver/plugins/trust.py: pep8 compliance Verified ipa-server-4.5.4-8.el7.x86_64 Established trust between AD and IPA successfully. 1. yum install ipa-server ipa-server-trust-ad ipa-server-dns 2. ipa-server-install --setup-dns 3. ipa-adtrust-install 4. ipa -d trust-add --type=ad --all ipaad2016.test --admin Administrator --external=true --password [root@vm-idm-028 ~]# ipa -d trust-add --type=ad --all ipaad2016.test --admin Administrator --external=true --password ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$915c043b... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$915c043b.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d;' ipa: INFO: trying https://vm-idm-028.realm1501181c.test/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_140025570240592 Active Directory domain administrator's password: ipa: DEBUG: raw: trust_add(u'ipaad2016.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', external=u'true', all=True, version=u'2.228') ipa: DEBUG: trust_add(u'ipaad2016.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', external=True, all=True, version=u'2.228') ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://vm-idm-028.realm1501181c.test/ipa/session/json' ipa: DEBUG: New HTTP connection (vm-idm-028.realm1501181c.test) ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_140025570240592 ----------------------------------------------- Re-established trust to domain "ipaad2016.test" ----------------------------------------------- dn: cn=ipaad2016.test,cn=ad,cn=trusts,dc=realm1501181c,dc=test Realm name: ipaad2016.test Domain NetBIOS name: IPAAD2016 Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Trusting forest Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified gidnumber: 864000001 ipantsecurityidentifier: S-1-5-21-3942277049-1447600740-1627187661-1020 ipantsupportedencryptiontypes: 28 ipanttrustdirection: 1 ipanttrustpartner: ipaad2016.test ipanttrustposixoffset: 0 ipanttrusttype: 2 objectclass: ipaNTTrustedDomain, ipaIDobject, top uidnumber: 864000020 [root@vm-idm-028 ~]# Additional info: rpc request data: [0000] 00 00 00 00 20 00 00 00 00 00 00 00 5D 5A 7F D7 .... ... ....]Z.. [0010] A8 6D 00 00 0D 00 0D 00 1C 00 00 00 .m...... .... s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7f6cf8877690 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7f6cf88f1690 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7f6cf8877690 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7f6cf8877690 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0 s4_tevent: Cancel immediate event 0x7f6cf88e6dc0 "tevent_queue_immediate_trigger" s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7f6cf8877690 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0 s4_tevent: Added timed event "tevent_req_timedout": 0x7f6cf88b5640 signed SMB2 message s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88c0800 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f6cf88c0800 s4_tevent: Destroying timer event 0x7f6cf88b5640 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f6cf88f9010 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f6cf88f9010 s4_tevent: Schedule immediate event "tstream_smbXcli_np_readv_trans_next": 0x7f6cf88e7010 s4_tevent: Run immediate event "tstream_smbXcli_np_readv_trans_next": 0x7f6cf88e7010 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f6cf88fa620 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f6cf88fa620 s4_tevent: Destroying timer event 0x7f6cf88f1690 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f6cf88f6000 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f6cf88f6000 lsa_SetInformationTrustedDomain: struct lsa_SetInformationTrustedDomain out: struct lsa_SetInformationTrustedDomain result : NT_STATUS_OK rpc reply data: [0000] 00 00 00 00 .... [Tue Jan 16 16:14:25.109115 2018] [:error] [pid 27876] ipa: INFO: [jsonserver_session] admin: trust_add/1(u'ipaad2016.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', external=True, all=True, version=u'2.228'): SUCCESS [Tue Jan 16 16:14:25.112179 2018] [:error] [pid 27876] ipa: DEBUG: Destroyed connection context.ldap2_140105564669648 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918 |