Bug 907917

Summary: Internal error when user triggers trusted domain communication
Product: Red Hat Enterprise Linux 7 Reporter: Ann Marie Rubin <arubin>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek, mvarun, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:18:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ann Marie Rubin 2013-02-05 14:21:31 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3390

When user privileged to add group members tries to add external member is not a member of Trusted Admins, he receives an internal error:

{{{
# ipa user-show fbar
  User login: fbar
  First name: Foo
  Last name: Bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  Email address: fbar.test
  UID: 1230000003
  GID: 1230000003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk                    <<<<<<
  Kerberos keys available: True
# kinit fbar
Password for fbar.TEST: 
# ipa group-add-member ext_all_admins --external "AD\Domain Admins"
[member user]: 
[member group]: 
ipa: ERROR: an internal error has occurred

/var/log/httpd/error_log:
[Mon Feb 04 10:09:55.085035 2013] [:error] [pid 22453] Traceback (most recent call     last):
[Mon Feb 04 10:09:55.085041 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute
[Mon Feb 04 10:09:55.085046 2013] [:error] [pid 22453]     result = self.              Command[name](*args, **options)
[Mon Feb 04 10:09:55.085051 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
[Mon Feb 04 10:09:55.085056 2013] [:error] [pid 22453]     ret = self.run(*args, **    options)
[Mon Feb 04 10:09:55.085060 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
[Mon Feb 04 10:09:55.085065 2013] [:error] [pid 22453]     return self.execute(*       args, **options)
[Mon Feb 04 10:09:55.085070 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1546, in execute
[Mon Feb 04 10:09:55.085075 2013] [:error] [pid 22453]     **options)
[Mon Feb 04 10:09:55.085079 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 388, in post_callback
[Mon Feb 04 10:09:55.085084 2013] [:error] [pid 22453]     actual_sid =                domain_validator.get_trusted_domain_object_sid(sid)
[Mon Feb 04 10:09:55.085089 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 264, in get_trusted_domain_object_sid
[Mon Feb 04 10:09:55.085094 2013] [:error] [pid 22453]     components.get('flatname'), filter, attrs, scope)
[Mon Feb 04 10:09:55.085099 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 221, in get_trusted_domain_objects
[Mon Feb 04 10:09:55.085104 2013] [:error] [pid 22453]     self._domains = self.       get_trusted_domains()
[Mon Feb 04 10:09:55.085109 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 162, in get_trusted_domains
[Mon Feb 04 10:09:55.085124 2013] [:error] [pid 22453]     entry[1][self.              ATTR_TRUST_AUTHOUT][0])
[Mon Feb 04 10:09:55.085129 2013] [:error] [pid 22453] KeyError:                       'ipanttrustauthoutgoing'
[Mon Feb 04 10:09:55.085498 2013] [:error] [pid 22453] ipa: INFO: fbar.TEST:  group_add_member(u'ext_all_admins', ipaexternalmember=(u'AD\\\\Domain Admins',),       all=False, raw=False, version=u'2.47'): KeyError
}}}
Comment 1 Rob Crittenden 2013-02-20 18:26:28 UTC 
Fixed upstream.

master: a41e10f0ebdd0be543d36b3bbe795d92974b0a2e

ipa-3-1: b238fc13ef98afb0bae4c479be1fc2c7fa94468d
Comment 6 Varun Mylaraiah 2014-01-31 14:04:59 UTC 
This is the steps I followed. Let me know if I am missing anything?

-----------------------------------------
[root@rhel7ad ~]# ipa user-show fbar
  User login: fbar
  First name: Foo
  Last name: Bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  Email address: fbar
  UID: 1875600045
  GID: 1875600045
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk
  Kerberos keys available: True


[root@rhel7ad ~]# kinit fbar
Password for fbar:

[root@rhel7ad ~]# klist
Ticket cache: KEYRINGersistent:0:krb_ccache_Y7YH42Q
Default principal: fbar

Valid starting       Expires              Service principal
01/31/2014 00:22:29  02/01/2014 00:22:29  krbtgt/TESTRELM.COM


[root@rhel7ad ~]# ipa group-add-member ext_all_admins --external "IPAQE1\Administrator"
[member user]: 
[member group]: 
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'.



/var/log/httpd/error_log

[Fri Jan 31 00:23:13.974923 2014] [:error] [pid 13506] ipa: INFO: fbar: group_add_member(u'ext_all_admins', ipaexternalmember=(u'IPAQE1\\\\Administrator',), all=False, raw=False, version=u'2.65', no_members=False): ACIError
[Fri Jan 31 00:23:13.974994 2014] [:error] [pid 13506] ipa: DEBUG: response: ACIError: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'.
[Fri Jan 31 00:23:13.975645 2014] [:error] [pid 13506] ipa: DEBUG: no session id in request, generating empty session data with id=b3ef224f9bc21c11e2d694d217c86e89
[Fri Jan 31 00:23:13.975818 2014] [:error] [pid 13506] ipa: DEBUG: store session: session_id=b3ef224f9bc21c11e2d694d217c86e89 start_timestamp=2014-01-31T00:23:13 access_timestamp=2014-01-31T00:23:13 expiration_timestamp=1970-01-01T05:30:00
Comment 7 Martin Kosek 2014-02-24 16:20:02 UTC 
Yes, it should be enough. But it would be also interesting to assign role "User Administrator" to the user "fbar" so that it has the actual write permission to the membership attribute:

$ kinit admin
$ ipa role-add-member "User Administrator" --users "fbar"
$ kinit fbar
$ ipa group-add-member ext_all_admins --external "IPAQE1\Administrator"
Comment 8 Varun Mylaraiah 2014-02-26 14:46:00 UTC 
Verified in ipa-server-3.3.3-17.el7.x86_64

[root@rhel7ad ~]# kinit admin
Password for admin: 


[root@rhel7ad ~]# ipa role-add-member "User Administrator" --users "fbar"
  Role name: User Administrator
  Description: Responsible for creating Users and Groups
  Member users: fbar
  Privileges: User Administrators, Group Administrators
-------------------------
Number of members added 1
-------------------------

[root@rhel7ad ~]# kinit fbar
Password for fbar: 

[root@rhel7ad ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_zDiWSuc
Default principal: fbar

Valid starting       Expires              Service principal
02/26/2014 17:47:22  02/27/2014 17:47:22  krbtgt/TESTRELM.COM


[root@rhel7ad ~]# ipa group-add-member ext_all_admins --external "IPAQE1\Administrator"
[member user]: 
[member group]: 
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'.
Comment 9 Ludek Smid 2014-06-13 09:18:58 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.