Bug 2392626

Summary: samba-4.23.0-0.5.rc3 breaks ipa trust-add
Product: [Fedora] Fedora Reporter: Florence Blanc-Renaud <frenaud>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 43CC: abokovoy, anoopcs, asn, awilliam, gdeschner, kparal, lruzicka, pfilipen, robatino, sbose, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://pagure.io/freeipa/issue/9847
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: samba-4.23.0-0.7.rc3.fc44 samba-4.23.0-0.8.rc4.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-09-12 04:29:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2324224    

Description Florence Blanc-Renaud 2025-09-02 15:47:12 UTC 
With the update to samba 4.23.0-0.5.rc3, the 'ipa trust-add' functionality is broken.

Please see details in https://pagure.io/freeipa/issue/9847

Scenario: install and configure a IPA server, configure as trust controller using ipa-adtrust-install, try to add a trust to an AD controller with 'ipa trust-add'.

The call to 'ipa trust-add' fails with:
ipa: ERROR: CIFS server communication error: code "3221225485", message "An invalid parameter was passed to a service or function." (both may be "None")

Reproducible: Always

Steps to Reproduce:
1. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders --no-dnssec-validation -a Secret123 -p Secret123 -U
2. ipa-adtrust-install
3. ipa dnsforwardzone-add ad.test --forwarder $IP_ADDR --forward-policy only
4. ipa trust-add ad.test --type ad --admin Administrator --password
Actual Results:
ipa: ERROR: CIFS server communication error: code "3221225485", message "An invalid parameter was passed to a service or function." (both may be "None")

Expected Results:
The trust should be added:

------------------------------------------------
Added Active Directory trust for realm "ad.test"
------------------------------------------------
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-3247149954-2456180507-1505921947
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
Comment 1 Florence Blanc-Renaud 2025-09-02 15:48:16 UTC 
Please see also https://bugzilla.samba.org/show_bug.cgi?id=15902
Comment 2 Fedora Blocker Bugs Application 2025-09-03 07:34:05 UTC 
Proposed as a Blocker for 43-beta by Fedora user abbra using the blocker tracking app because:

 Samba 4.23.0 is not yet released, Fedora 43 has release candidate builds. These builds broke FreeIPA trust to Active Directory due to internal refactor in Samba 4.23. This includes also Samba AD, making FreeIPA in Fedora not being able to establish trust to Samba AD in Fedora.

Since this is a regression of a pretty important functionality for FreeIPA, we consider this a blocker bug. We have identified the fix (under review upstream) that is already tested to restore the FreeIPA feature.
Comment 3 Fedora Update System 2025-09-03 13:50:46 UTC 
FEDORA-2025-cb15b4a48c (samba-4.23.0-0.5.rc3.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c
Comment 4 Fedora Update System 2025-09-03 14:08:34 UTC 
FEDORA-2025-7accbc6c23 (samba-4.23.0-0.7.rc3.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-7accbc6c23
Comment 5 Fedora Update System 2025-09-03 15:02:01 UTC 
FEDORA-2025-7accbc6c23 (samba-4.23.0-0.7.rc3.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Adam Williamson 2025-09-03 21:10:02 UTC 
Re-opening because this is for F43 and proposed as a blocker; we can't let it be closed just because the update went out for Rawhide.
Comment 7 Fedora Update System 2025-09-04 01:13:13 UTC 
FEDORA-2025-cb15b4a48c has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cb15b4a48c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-09-05 01:28:42 UTC 
FEDORA-2025-cb15b4a48c has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cb15b4a48c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Kamil Páral 2025-09-08 09:57:46 UTC 
Discussed at https://pagure.io/fedora-qa/blocker-review/issue/1903

Rejected as a Beta blocker, because this doesn't seem to hit any of the existing release criteria.
Rejected as a Beta freeze exception, because this doesn't seem to need to be pushed stable before Beta is released, having it in updates-testing should be good enough.
Comment 10 Kamil Páral 2025-09-08 12:54:23 UTC 
Resetting the Beta Freeze Exception vote based on discussion in the blocker ticket.
Comment 11 Lukas Ruzicka 2025-09-08 17:37:43 UTC 
Discussed at the 2025-09-08 (blocker / freeze exception) review meeting:

This is the first part of a fix that should prevent server folks with specific FreeIPA configuration from encountering a broken upgrade process.

https://meetbot-raw.fedoraproject.org//blocker-review_matrix_fedoraproject-org/2025-09-08/f43-blocker-review.2025-09-08-16.00.txt
Comment 12 Fedora Update System 2025-09-10 01:36:16 UTC 
FEDORA-2025-cb15b4a48c has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cb15b4a48c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2025-09-11 02:21:36 UTC 
FEDORA-2025-cb15b4a48c has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cb15b4a48c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Fedora Update System 2025-09-12 04:29:20 UTC 
FEDORA-2025-cb15b4a48c (freeipa-4.12.2-18.fc43 and samba-4.23.0-0.8.rc4.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.