Bug 1509288

Summary: IPA trust-add internal error (expected security.dom_sid got None)
Product: Red Hat Enterprise Linux 7 Reporter: josip.domsic+bugzilla
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: abokovoy, enewland, josip.domsic+bugzilla, ksiddiqu, mvarun, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.5.4-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Apache error log file. Generated after failed to generate trust none

Description josip.domsic+bugzilla 2017-11-03 13:32:09 UTC
Description of problem: Adding trust for Windows AD fails with internal error.


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7.centos.2.2.x86_64


How reproducible:


Steps to Reproduce:
1. yum install ipa-server ipa-server-trust-ad ipa-server-dns
2. ipa-server-install --setup-dns
3. ipa-adtrust-install
3. ipa -d trust-add --type=ad --all rl.ldap.local --admin Administrator --external=true --password

Actual results:
ipa: ERROR: an internal error has occurred


Expected results:
Established trust between AD and IPA


Additional info:

rpc reply data:
[0000] 00 00 02 00 08 00 00 00   22 00 24 00 04 00 02 00   ........ ".$.....
[0010] 22 00 24 00 08 00 02 00   00 00 00 00 03 00 00 00   ".$..... ........
[0020] 03 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0030] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0040] 00 00 00 00 12 00 00 00   00 00 00 00 11 00 00 00   ........ ........
[0050] 69 00 70 00 61 00 2E 00   72 00 6C 00 2E 00 6C 00   i.p.a... r.l...l.
[0060] 64 00 61 00 70 00 2E 00   6C 00 6F 00 63 00 61 00   d.a.p... l.o.c.a.
[0070] 6C 00 00 00 12 00 00 00   00 00 00 00 11 00 00 00   l....... ........
[0080] 69 00 70 00 61 00 2E 00   72 00 6C 00 2E 00 6C 00   i.p.a... r.l...l.
[0090] 64 00 61 00 70 00 2E 00   6C 00 6F 00 63 00 61 00   d.a.p... l.o.c.a.
[00A0] 6C 00 00 00 00 00 00 00                             l....... 
[Fri Nov 03 09:29:58.558188 2017] [:error] [pid 8126] ipa: ERROR: non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:34540: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType'
[Fri Nov 03 09:29:58.558272 2017] [:error] [pid 8126] Traceback (most recent call last):
[Fri Nov 03 09:29:58.558304 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Fri Nov 03 09:29:58.558312 2017] [:error] [pid 8126]     result = command(*args, **options)
[Fri Nov 03 09:29:58.558319 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Nov 03 09:29:58.558326 2017] [:error] [pid 8126]     return self.__do_call(*args, **options)
[Fri Nov 03 09:29:58.558333 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Nov 03 09:29:58.558339 2017] [:error] [pid 8126]     ret = self.run(*args, **options)
[Fri Nov 03 09:29:58.558346 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Nov 03 09:29:58.558352 2017] [:error] [pid 8126]     return self.execute(*args, **options)
[Fri Nov 03 09:29:58.558359 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 740, in execute
[Fri Nov 03 09:29:58.558372 2017] [:error] [pid 8126]     result = self.execute_ad(full_join, *keys, **options)
[Fri Nov 03 09:29:58.558379 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 990, in execute_ad
[Fri Nov 03 09:29:58.558386 2017] [:error] [pid 8126]     trust_type
[Fri Nov 03 09:29:58.558392 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1630, in join_ad_full_credentials
[Fri Nov 03 09:29:58.558399 2017] [:error] [pid 8126]     trust_type, trust_external)
[Fri Nov 03 09:29:58.558405 2017] [:error] [pid 8126]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1260, in establish_trust
[Fri Nov 03 09:29:58.558411 2017] [:error] [pid 8126]     res.info_ex.sid)
[Fri Nov 03 09:29:58.558419 2017] [:error] [pid 8126] TypeError: default/librpc/gen_ndr/py_lsa.c:34540: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType'
[Fri Nov 03 09:29:58.559626 2017] [:error] [pid 8126] ipa: INFO: [jsonserver_session] admin.LDAP.LOCAL: trust_add/1(u'rl.ldap.local', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, external=True, all=True, version=u'2.228'): InternalError

Comment 2 Alexander Bokovoy 2017-11-08 08:56:37 UTC
Can you please attach full error_log? It would be good to add 'log level = 50' to /usr/share/ipa/smb.conf.empty and re-do 'ipa trust-add'.

Comment 3 josip.domsic+bugzilla 2017-11-08 11:21:06 UTC
Created attachment 1349398 [details]
Apache error log file. Generated after failed to generate trust

Comment 4 Alexander Bokovoy 2017-11-08 11:39:27 UTC
Comment on attachment 1349398 [details]
Apache error log file. Generated after failed to generate trust

Thank you. This confirms my suspicion. Did you attempt to create a trust before from AD side using "trust to MIT Kerberos"?

We get back information that trust to IPA domain exists but no SID is assigned to the IPA domain. This only happens when AD is trying to set up trust to MIT Kerberos. However, we do not support this type of trust in IPA, thus a failure. In addition, we cannot delete this trust record using LSA RPC calls because lsarDeleteTrustedDomain() requires SID which does not exist in this entry.

So I think the only way to handle this situation is to fail with an error message telling a user to delete IPA domain from list of trusts on AD side manually because trust type is wrong.

     lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
        out: struct lsa_QueryTrustedDomainInfoByName
            info                     : *
                info                     : *
                    info                     : union lsa_TrustedDomainInfo(case 8)
                    full_info: struct lsa_TrustDomainInfoFullInfo
                        info_ex: struct lsa_TrustDomainInfoInfoEx
                            domain_name: struct lsa_StringLarge
                                length                   : 0x0022 (34)
                                size                     : 0x0024 (36)
                                string                   : *
                                    string                   : 'ipa.rl.ldap.local'
                            netbios_name: struct lsa_StringLarge
                                length                   : 0x0022 (34)
                                size                     : 0x0024 (36)
                                string                   : *
                                    string                   : 'ipa.rl.ldap.local'
                            sid                      : NULL
                            trust_direction          : 0x00000003 (3)
                                   1: LSA_TRUST_DIRECTION_INBOUND
                                   1: LSA_TRUST_DIRECTION_OUTBOUND
                            trust_type               : LSA_TRUST_TYPE_MIT (3)
                            trust_attributes         : 0x00000001 (1)
                                   1: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
                                   0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
                                   0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
                                   0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
                                   0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
                                   0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
                                   0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
                                   0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
                        posix_offset: struct lsa_TrustDomainInfoPosixOffset
                            posix_offset             : 0x00000000 (0)
                        auth_info: struct lsa_TrustDomainInfoAuthInfo
                            incoming_count           : 0x00000000 (0)
                            incoming_current_auth_info: NULL
                            incoming_previous_auth_info: NULL
                            outgoing_count           : 0x00000000 (0)
                            outgoing_current_auth_info: NULL
                            outgoing_previous_auth_info: NULL
            result                   : NT_STATUS_OK

Comment 5 josip.domsic+bugzilla 2017-11-08 11:54:15 UTC
Thank you so much!

Deleting trusts on AD side helped.

Comment 6 Florence Blanc-Renaud 2017-11-15 09:56:43 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7264

Comment 7 Petr Vobornik 2017-12-12 16:47:09 UTC
master:

    956e265 ipaserver/plugins/trust.py; fix some indenting issues
    a57f613 trust: detect and error out when non-AD trust with IPA domain name exists
    c19eb49 ipaserver/plugins/trust.py: pep8 compliance

ipa-4-5:
    44524b1 ipaserver/plugins/trust.py; fix some indenting issues
    365967f trust: detect and error out when non-AD trust with IPA domain name exists
    e71f52f ipaserver/plugins/trust.py: pep8 compliance

ipa-4-6:
    0ea2e7e ipaserver/plugins/trust.py; fix some indenting issues
    c34c1da trust: detect and error out when non-AD trust with IPA domain name exists
    31c2b1d ipaserver/plugins/trust.py: pep8 compliance

Comment 9 Varun Mylaraiah 2018-01-16 11:52:11 UTC
Verified

ipa-server-4.5.4-8.el7.x86_64

Established trust between AD and IPA successfully.


1. yum install ipa-server ipa-server-trust-ad ipa-server-dns
2. ipa-server-install --setup-dns
3. ipa-adtrust-install
4. ipa -d trust-add --type=ad --all ipaad2016.test --admin Administrator --external=true --password


[root@vm-idm-028 ~]# ipa -d trust-add --type=ad --all ipaad2016.test --admin Administrator --external=true --password
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$915c043b...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$915c043b.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d;'
ipa: INFO: trying https://vm-idm-028.realm1501181c.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_140025570240592
Active Directory domain administrator's password: 
ipa: DEBUG: raw: trust_add(u'ipaad2016.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', external=u'true', all=True, version=u'2.228')
ipa: DEBUG: trust_add(u'ipaad2016.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', external=True, all=True, version=u'2.228')
ipa: INFO: [try 1]: Forwarding 'trust_add/1' to json server 'https://vm-idm-028.realm1501181c.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (vm-idm-028.realm1501181c.test)
ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=Mvrq3p%2fSXz6ZP0vQl8V7mGXqaU9w4KWp0%2bQR9CxaOBiUdpdZa%2br15iL1p3xXi7gkaUb%2bKHp%2fM1KMl2zhzdJ8j%2fatgyqEq8S6z86unV6sK3lg1a%2fDX1IKJYx3N0gMW30tXW6wL8P7reNPJpbRSdosjx7Q56Ba5%2fxrEkmilyVo%2feecYAfEjPS8MFqxj1%2fU5dF8l%2boPCcVgh25W9Zu2BDqMqA%3d%3d;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_140025570240592
-----------------------------------------------
Re-established trust to domain "ipaad2016.test"
-----------------------------------------------
  dn: cn=ipaad2016.test,cn=ad,cn=trusts,dc=realm1501181c,dc=test
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
                          S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19,
                          S-1-5-20
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified
  gidnumber: 864000001
  ipantsecurityidentifier: S-1-5-21-3942277049-1447600740-1627187661-1020
  ipantsupportedencryptiontypes: 28
  ipanttrustdirection: 1
  ipanttrustpartner: ipaad2016.test
  ipanttrustposixoffset: 0
  ipanttrusttype: 2
  objectclass: ipaNTTrustedDomain, ipaIDobject, top
  uidnumber: 864000020
[root@vm-idm-028 ~]#



Additional info:

rpc request data:
[0000] 00 00 00 00 20 00 00 00   00 00 00 00 5D 5A 7F D7   .... ... ....]Z..
[0010] A8 6D 00 00 0D 00 0D 00   1C 00 00 00               .m...... ....
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7f6cf8877690
s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7f6cf88f1690
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7f6cf8877690
s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7f6cf8877690
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0
s4_tevent: Cancel immediate event 0x7f6cf88e6dc0 "tevent_queue_immediate_trigger"
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0
s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7f6cf8877690
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f6cf88e6dc0
s4_tevent: Added timed event "tevent_req_timedout": 0x7f6cf88b5640
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f6cf88c0800
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f6cf88c0800
s4_tevent: Destroying timer event 0x7f6cf88b5640 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f6cf88f9010
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f6cf88f9010
s4_tevent: Schedule immediate event "tstream_smbXcli_np_readv_trans_next": 0x7f6cf88e7010
s4_tevent: Run immediate event "tstream_smbXcli_np_readv_trans_next": 0x7f6cf88e7010
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f6cf88fa620
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f6cf88fa620
s4_tevent: Destroying timer event 0x7f6cf88f1690 "dcerpc_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f6cf88f6000
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f6cf88f6000
     lsa_SetInformationTrustedDomain: struct lsa_SetInformationTrustedDomain
        out: struct lsa_SetInformationTrustedDomain
            result                   : NT_STATUS_OK
rpc reply data:
[0000] 00 00 00 00                                        ....
[Tue Jan 16 16:14:25.109115 2018] [:error] [pid 27876] ipa: INFO: [jsonserver_session] admin: trust_add/1(u'ipaad2016.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', external=True, all=True, version=u'2.228'): SUCCESS
[Tue Jan 16 16:14:25.112179 2018] [:error] [pid 27876] ipa: DEBUG: Destroyed connection context.ldap2_140105564669648

Comment 12 errata-xmlrpc 2018-04-10 16:48:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918