Bug 869741
Summary: | Re-adding an existing entry in trust, does not throw exception. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | mkosek, spoore, xdong |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-8.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:29:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Namita Soman
2012-10-24 17:13:09 UTC
pasting email responses..... From ab: This is normal and intended behavior. No duplication occurs; trust relationship requires special accounts to be set up in both domains. The procedure we use for adding trusts re-creates these accounts. Since everything else will be the same, this leads only to change in what passwords are associated with these special accounts (DOMAIN$@TRUSTED.DOMAIN for each side). The passwords would be changed anyway periodically by the underlying infrastructure. Since there is only one mvarun.com domain available through DNS, you cannot have multiple trust entries to the same domain. From Dmitri: While it is reasonable what you say the general expectation would be that trust-add for existing trust would return error "trust already exists" instead of modifying it. Is there a trust-mod command? If there is then trust-add should fail for the attempt to add existing trust and trust-mod should be used to modify it. If trust-mod does not exist may be the trust-add command should be changed to trust-establish? That would set the right expectations that it can be re-established. Thoughts? From ab: We follow what Windows admins would see in such case. They simply add/re-add the same domain trust and it replaces existing one. trust-mod is no-op right now since there is nothing to change. From Rob: Could we use a different summary when re-adding a trust to recognize that an existing one was replaced? This will be addressed by updating help for trust-add to set the right expectations: + This command establishes trust relationship to another domain + which becomes 'trusted'. As result, users of the trusted domain + may access resources of this domain. + + Only trusts to Active Directory domains are supported right now. + + The command can be safely run multiple times against the same domain, + this will cause change to trust relationship credentials on both + sides. Fixed upstream master: 53a94211100d8622ccd2442140ff8db2ae05add9 ipa-3-0: 881fc3ac604e76f6b516a3b7869c97a97884dc92 Verified. Version :: ipa-server-3.0.0-8.el6.x86_64 Manual Test Results :: [root@qe-blade-05 ~]# ipa help trust-add|head -11 Purpose: Add new trust to use. This command establishes trust relationship to another domain which becomes 'trusted'. As result, users of the trusted domain may access resources of this domain. Only trusts to Active Directory domains are supported right now. The command can be safely run multiple times against the same domain, this will cause change to trust relationship credentials on both sides. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html verified on freeipa-server-3.1.3-3.fc18.x86_64. Noticed that besides the instruction added in ipa help trust-add, the first and second time for adding the same trust ,the prompt is different: [root@f18 ipa-trust-cli]# ipa trust-add --type=ad adlab.qe --admin administrator --password Active directory domain administrator's password: ------------------------------------------------- Added Active Directory trust for realm "adlab.qe" ------------------------------------------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3452862912-1583780823-338435951 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@f18 ipa-trust-cli]# ipa trust-add --type=ad adlab.qe --admin administrator --password Active directory domain administrator's password: ----------------------------------------- Re-established trust to domain "adlab.qe" ----------------------------------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3452862912-1583780823-338435951 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified (In reply to comment #8) > verified on freeipa-server-3.1.3-3.fc18.x86_64. > > Noticed that besides the instruction added in ipa help trust-add, the first > and second time for adding the same trust ,the prompt is different: > Different how? If you mean Added Active Directory trust for realm "adlab.qe" and Re-established trust to domain "adlab.qe" , then it is an intended difference and the actual help for admins to distinguish between new trust and re-established trust. |