Bug 869741

pasting email responses.....

From ab:
This is normal and intended behavior. No duplication occurs; trust
relationship requires special accounts to be set up in both domains. The
procedure we use for adding trusts re-creates these accounts. Since
everything else will be the same, this leads only to change in what
passwords are associated with these special accounts
(DOMAIN$@TRUSTED.DOMAIN for each side). The passwords would be changed
anyway periodically by the underlying infrastructure.

Since there is only one mvarun.com domain available through DNS, you
cannot have multiple trust entries to the same domain.

From Dmitri:
While it is reasonable what you say the general expectation would be
that trust-add for existing trust would return error "trust already
exists" instead of modifying it. Is there a trust-mod command? If there
is then trust-add should fail for the attempt to add existing trust and
trust-mod should be used to modify it. If trust-mod does not exist may
be the trust-add command should be changed to trust-establish? That
would set the right expectations that it can be re-established.
Thoughts?

From ab:
We follow what Windows admins would see in such case. They simply
add/re-add the same domain trust and it replaces existing one.

trust-mod is no-op right now since there is nothing to change.

From Rob:
Could we use a different summary when re-adding a trust to recognize
that an existing one was replaced?

This will be addressed by updating help for trust-add to set the right expectations:
+    This command establishes trust relationship to another domain
+    which becomes 'trusted'. As result, users of the trusted domain
+    may access resources of this domain.
+
+    Only trusts to Active Directory domains are supported right now.
+
+    The command can be safely run multiple times against the same domain,
+    this will cause change to trust relationship credentials on both
+    sides.

Fixed upstream

master: 53a94211100d8622ccd2442140ff8db2ae05add9

ipa-3-0: 881fc3ac604e76f6b516a3b7869c97a97884dc92

Verified.

Version ::

ipa-server-3.0.0-8.el6.x86_64

Manual Test Results ::

[root@qe-blade-05 ~]# ipa help trust-add|head -11
Purpose: Add new trust to use.

This command establishes trust relationship to another domain
which becomes 'trusted'. As result, users of the trusted domain
may access resources of this domain.

Only trusts to Active Directory domains are supported right now.

The command can be safely run multiple times against the same domain,
this will cause change to trust relationship credentials on both
sides.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

verified on freeipa-server-3.1.3-3.fc18.x86_64.

Noticed that besides the instruction added in ipa help trust-add, the first and second time for adding the same trust ,the prompt is different:

[root@f18 ipa-trust-cli]# ipa trust-add --type=ad adlab.qe --admin administrator --password
Active directory domain administrator's password: 
-------------------------------------------------
Added Active Directory trust for realm "adlab.qe"
-------------------------------------------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3452862912-1583780823-338435951
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4,
                          S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
                          S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                          S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4,
                          S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
                          S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                          S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@f18 ipa-trust-cli]# ipa trust-add --type=ad adlab.qe --admin administrator --password
Active directory domain administrator's password: 
-----------------------------------------
Re-established trust to domain "adlab.qe"
-----------------------------------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3452862912-1583780823-338435951
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4,
                          S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
                          S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                          S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4,
                          S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
                          S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
                          S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

(In reply to comment #8)
> verified on freeipa-server-3.1.3-3.fc18.x86_64.
> 
> Noticed that besides the instruction added in ipa help trust-add, the first
> and second time for adding the same trust ,the prompt is different:
> 

Different how? If you mean

Added Active Directory trust for realm "adlab.qe"

and

Re-established trust to domain "adlab.qe"

, then it is an intended difference and the actual help for admins to distinguish between new trust and re-established trust.