1033216 – Re-adding existing trust fails

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1033216 - Re-adding existing trust fails

Summary: Re-adding existing trust fails

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-21 17:47 UTC by Steeve Goveas
Modified:	2015-09-23 14:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-3.3.3-6.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:10:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Http error logs with samba log level 100 (258.93 KB, text/plain) 2013-11-21 17:47 UTC, Steeve Goveas	no flags	Details
View All

Description Steeve Goveas 2013-11-21 17:47:38 UTC

Created attachment 827403 [details]
Http error logs with samba log level 100

Description of problem:
Re-adding a trust that already exists fails with error
"ipa: ERROR: CIFS server communication error: code "-1073741811",
                  message "Unexpected information received" (both may be "None")"


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-3.3.3-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add trust with an AD server
2. Repeat trust-add with same AD server

Actual results:
[root@rhel7-b ~]# cat /usr/share/ipa/smb.conf.empty
[global]
log level = 100

[root@rhel7-b ~]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password
Active directory domain administrator's password:
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-b ~]# /usr/bin/ipa trust-add --type=ad adtest.qe --admin Administrator --password
Active directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741811",
                  message "Unexpected information received" (both may be "None")

Expected results:
Trust is re-established without any errors

Additional info:
Pasting ab's investigation from email

Ok, according to the logs this is one of cases where we should wait a
bit to allow KDC to refresh list of trusted domains before we go to the
AD DC to fetch its forest topology information:

Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for @TESTRELM will expire in 86399 secs
Server cifs/ad12srv1.adtest.qe@ is not registered with our KDC:
Unspecified GSS failure.  Minor code may provide more information:
Server krbtgt/ADTEST.QE not found in Kerberos database
SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT
Failed initial gensec_update with mechanism spnego:
NT_STATUS_INVALID_PARAMETER

We already force KDC to refresh but some race could still be there, I
guess.

Comment 2 Jenny Severance 2013-11-21 18:48:36 UTC

Although this is a regression, it should not block beta release

Comment 4 Dmitri Pal 2013-11-21 20:29:30 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4046

Comment 5 Martin Kosek 2013-11-29 12:15:41 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/32df84f04ba300020bbc232ed7119838ae31fea6
ipa-3-3: https://fedorahosted.org/freeipa/changeset/84236d514a3fc7c49935faa089783734f7149061

Comment 8 Steeve Goveas 2013-12-18 15:11:51 UTC

[root@hp-dl380pgen8-02-vm-8 ~]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@hp-dl380pgen8-02-vm-8 ~]# ipa trust-add adtest.qe --admin administrator --password
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@hp-dl380pgen8-02-vm-8 ~]# ipa trust-add adtest.qe --admin administrator --password
Active directory domain administrator's password: 
------------------------------------------
Re-established trust to domain "adtest.qe"
------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Verified in version
[root@hp-dl380pgen8-02-vm-8 ~]# rpm -q ipa-server
ipa-server-3.3.3-6.el7.x86_64

Comment 9 Ludek Smid 2014-06-13 11:10:32 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.