Bug 1664023
Summary: | ipa trust-add fails with ipa: ERROR: an internal error has occurred | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Varun Mylaraiah <mvarun> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaleem <ksiddiqu> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 8.0 | CC: | abokovoy, arajendr, cheimes, ksiddiqu, pvoborni, rcritten, tscherf, wchadwic | ||||
Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||
Target Release: | 8.0 | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-06-14 01:25:55 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
There is a conflicting TLN (example.test) so we need to create an exclusion entry for example.test (us) at the remote forest (realmv071.test). We request the forest's topology and try to process it. However, when processing the entries in the topology we assumed they are of a particular type while this one shows more than one type of entries: lsa_lsaRQueryForestTrustInformation: struct lsa_lsaRQueryForestTrustInformation out: struct lsa_lsaRQueryForestTrustInformation forest_trust_info : * forest_trust_info : * forest_trust_info: struct lsa_ForestTrustInformation count : 0x00000003 (3) entries : * entries: ARRAY(3) entries : * entries: struct lsa_ForestTrustRecord flags : 0x00000000 (0) 0: LSA_TLN_DISABLED_NEW 0: LSA_TLN_DISABLED_ADMIN 0: LSA_TLN_DISABLED_CONFLICT 0: LSA_SID_DISABLED_ADMIN 0: LSA_SID_DISABLED_CONFLICT 0: LSA_NB_DISABLED_ADMIN 0: LSA_NB_DISABLED_CONFLICT type : LSA_FOREST_TRUST_TOP_LEVEL_NAME (0) time : Mon Jan 7 02:14:30 2019 EST forest_trust_data : union lsa_ForestTrustData(case 0) top_level_name: struct lsa_StringLarge length : 0x001e (30) size : 0x0020 (32) string : * string : 'realmmv071.test' entries : * entries: struct lsa_ForestTrustRecord flags : 0x00000000 (0) 0: LSA_TLN_DISABLED_NEW 0: LSA_TLN_DISABLED_ADMIN 0: LSA_TLN_DISABLED_CONFLICT 0: LSA_SID_DISABLED_ADMIN 0: LSA_SID_DISABLED_CONFLICT 0: LSA_NB_DISABLED_ADMIN 0: LSA_NB_DISABLED_CONFLICT type : LSA_FOREST_TRUST_TOP_LEVEL_NAME (0) time : Mon Jan 7 02:14:30 2019 EST forest_trust_data : union lsa_ForestTrustData(case 0) top_level_name: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'example.test' entries : * entries: struct lsa_ForestTrustRecord flags : 0x00000000 (0) 0: LSA_TLN_DISABLED_NEW 0: LSA_TLN_DISABLED_ADMIN 0: LSA_TLN_DISABLED_CONFLICT 0: LSA_SID_DISABLED_ADMIN 0: LSA_SID_DISABLED_CONFLICT 0: LSA_NB_DISABLED_ADMIN 0: LSA_NB_DISABLED_CONFLICT type : LSA_FOREST_TRUST_DOMAIN_INFO (2) time : Mon Jan 7 03:19:00 2019 EST forest_trust_data : union lsa_ForestTrustData(case 2) domain_info: struct lsa_ForestTrustDomainInfo domain_sid : * domain_sid : S-1-5-21-3770167905-2907243591-2927179109 dns_domain_name: struct lsa_StringLarge length : 0x001e (30) size : 0x0020 (32) string : * string : 'realmmv071.test' netbios_domain_name: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'REALMMV071' result : NT_STATUS_OK As result, we attempt to address realmmv071.test's entry as 'forest_trust_data.string' which it should be 'forest_trust_data.dns_domain_name.string'. Upstream ticket: https://pagure.io/freeipa/issue/7828 Fixed upstream master: https://pagure.io/freeipa/c/3c38aea6fc71fe55b73869f9692d590b9d528935 https://pagure.io/freeipa/c/2aa24eedf2443367272fe2e41bb9dcf508533a18 Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/e5471e66c6a718ffa28433813b8a8d7896b16d9e https://pagure.io/freeipa/c/736d2e00d2751e6851e5613dabe8b3f96fb74c92 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/d946d0ddd4aab65b33656f7799db009cc7020bb9 Verified. ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64 ipa-server-trust-ad-4.7.1-10.module+el8+2699+aa606a46.x86_64 [root@vm-idm-016 ~]# echo <XXXXXXX> | ipa trust-add ipaad2016.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True ----------------------------------------------- Re-established trust to domain "ipaad2016.test" ----------------------------------------------- Realm name: ipaad2016.test Domain NetBIOS name: IPAAD2016 Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@vm-idm-016 ~]# ipa dnszone-add example.test --name-server=vm-idm-016.testuser2301.test. --admin-email=hostmaster ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute. NS record(s) can be edited in zone apex - '@'. Zone name: example.test. Active zone: TRUE Authoritative nameserver: vm-idm-016.testuser2301.test. Administrator e-mail address: hostmaster.example.test SOA serial: 1548247167 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTUSER2301.TEST krb5-self * A; grant TESTUSER2301.TEST krb5-self * AAAA; grant TESTUSER2301.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-idm-016 ~]# echo <XXXXXXX> | ipa trust-add ipaad2016.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True ipa: ERROR: Forest 'ipaad2016.test' has existing trust to forest(s) ['testrelmf261.test'] which prevents a trust to 'testuser2301.test' -Now seeing the proper error message instead of "ipa: ERROR: an internal error has occurred". -From AD(ipaad2016.test) point of view "example.test" is already owned by "testrelmf261.test." Based on the above observation, marking the bug VERIFIED ================ Additional info: ================ /var/log/httpd/error_log [Wed Jan 23 18:09:37.941424 2019] [:warn] [pid 10559:tid 140267306800896] [client 10.65.206.150:45942] failed to set perms (3140) on file (/run/ipa/ccaches/admin)!, referer: https://vm-idm-016.testuser2301.test/ipa/xml [Wed Jan 23 18:09:44.267755 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: ERROR: When setting forest trust information, got collision info back: [Wed Jan 23 18:09:44.267936 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] lsa_ForestTrustCollisionInfo: struct lsa_ForestTrustCollisionInfo [Wed Jan 23 18:09:44.267991 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] count : 0x00000001 (1) [Wed Jan 23 18:09:44.268016 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] entries : * [Wed Jan 23 18:09:44.268041 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] entries: ARRAY(1) [Wed Jan 23 18:09:44.268064 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] entries : * [Wed Jan 23 18:09:44.268086 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] entries: struct lsa_ForestTrustCollisionRecord [Wed Jan 23 18:09:44.268109 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] index : 0x00000001 (1) [Wed Jan 23 18:09:44.268130 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] type : LSA_FOREST_TRUST_COLLISION_TDO (0) [Wed Jan 23 18:09:44.268145 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] flags : 0x00000004 (4) [Wed Jan 23 18:09:44.268159 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 0: LSA_TLN_DISABLED_NEW [Wed Jan 23 18:09:44.268173 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 0: LSA_TLN_DISABLED_ADMIN [Wed Jan 23 18:09:44.268187 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 1: LSA_TLN_DISABLED_CONFLICT [Wed Jan 23 18:09:44.268201 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 0: LSA_SID_DISABLED_ADMIN [Wed Jan 23 18:09:44.268214 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 0: LSA_SID_DISABLED_CONFLICT [Wed Jan 23 18:09:44.268228 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 1: LSA_NB_DISABLED_ADMIN [Wed Jan 23 18:09:44.268242 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] 0: LSA_NB_DISABLED_CONFLICT [Wed Jan 23 18:09:44.268256 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] name: struct lsa_String [Wed Jan 23 18:09:44.268270 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] length : 0x0022 (34) [Wed Jan 23 18:09:44.268283 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] size : 0x0024 (36) [Wed Jan 23 18:09:44.268297 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] string : * [Wed Jan 23 18:09:44.268311 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] string : 'testrelmf261.test' [Wed Jan 23 18:09:44.268365 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] [Wed Jan 23 18:09:44.268620 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: ERROR: Attempt to solve forest trust topology conflicts [Wed Jan 23 18:09:44.744863 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: ERROR: Unable to resolve conflict for DNS domain testuser2301.test in the forest ipaad2016.test for in-forest domain testrelmf261.test. Trust cannot be established unless this conflict is fixed manually. [Wed Jan 23 18:09:44.745958 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: INFO: [jsonserver_session] admin: trust_add/1('ipaad2016.test', realm_admin='Administrator', realm_passwd='********', range_type='ipa-ad-trust', bidirectional=True, version='2.230'): TrustTopologyConflictError [Wed Jan 23 19:05:36.981095 2019] [:warn] [pid 10559:tid 140267399120640] [client 10.65.206.150:45986] failed to set perms (3140) on file (/run/ipa/ccaches/admin)!, referer: https://vm-idm-016.testuser2301.test/ipa/xml INFO: Current debug levels: all: 50 tdb: 50 printdrivers: 50 |
Created attachment 1519026 [details] /var/log/httpd/error_log Description of problem: ipa trust-add fails with ipa: ERROR: an internal error has occurred Version-Release number of selected component (if applicable): ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64 ipa-server-trust-ad-4.7.1-7.module+el8+2555+b334d87b.x86_64 How reproducible: 100% Steps to Reproduce: 1.Install IPA server and establish trust with AD 2.ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True 3.ipa dnszone-add example.test --name-server=<hostname> --admin-email=hostmaster 4.ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True Actual results: ipa: ERROR: an internal error has occurred Expected results: ipa trust-add should be successful Additional info: Attached error_log with log level = 50' to /usr/share/ipa/smb.conf.empty Discussion with Dev: Alexander Bokovoy: "So we got back entry with LSA_FOREST_TRUST_DOMAIN_INFO and need to adapt to that. Should be simple" Console Output: [root@kvm-04-guest10 ~]# echo <xxxxxx> | ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True ------------------------------------------------------- Added Active Directory trust for realm "ipaad2016.test" ------------------------------------------------------- Realm name: ipaad2016.test Domain NetBIOS name: IPAAD2016 Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# [root@kvm-04-guest10 ~]# ipa dnszone-add example.test --name-server=kvm-04-guest10.realmmv073.test. --admin-email=hostmaster ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute. NS record(s) can be edited in zone apex - '@'. Zone name: example.test. Active zone: TRUE Authoritative nameserver: kvm-04-guest10.realmmv073.test. Administrator e-mail address: hostmaster.example.test SOA serial: 1546866033 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant REALMMV073.TEST krb5-self * A; grant REALMMV073.TEST krb5-self * AAAA; grant REALMMV073.TEST krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@kvm-04-guest10 ~]# echo <xxxxxx> | ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True ipa: ERROR: an internal error has occurred