RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1070924 - Access is not rejected for disabled domain
Summary: Access is not rejected for disabled domain
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-27 18:30 UTC by Martin Kosek
Modified: 2015-09-23 15:27 UTC (History)
3 users (show)

Fixed In Version: ipa-3.3.3-21.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:59:54 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Martin Kosek 2014-02-27 18:30:02 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4207

{{{
[root@dhcp207-218 ipa-idrange-cli]# echo Secret123 | ipa trust-add --type=ad adtest.qe --admin administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-218 ipa-idrange-cli]# getent passwd testu1.qe
testu1.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1:

[root@dhcp207-218 ipa-idrange-cli]# ssh -o StrictHostKeyChecking=no -l testu1.qe `hostname` echo 'login successful'
testu1.qe.test's password: 
Permission denied, please try again.
testu1.qe.test's password: 

[root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-disable adtest.qe pune.adtest.qe ; sleep 120; ssh -o StrictHostKeyChecking=no -l testu1.qe `hostname` echo 'login successful'
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------
testu1.qe.test's password: 
login successful

[root@dhcp207-218 ipa-idrange-cli]# ipa trustdomain-enable adtest.qe pune.adtest.qe ; sleep 120 ;ssh -o StrictHostKeyChecking=no -l testu1.qe `hostname` echo 'login successful'
-------------------------------------
Enabled trust domain "pune.adtest.qe"
-------------------------------------
testu1.qe.test's password: 
login successful

[root@dhcp207-218 ~]# tail -f /var/log/krb5kdc.log

--------------------------------------------
Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test for ldap/dhcp207-218.testrelm.test
Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin
Feb 27 19:28:10 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): bad realm transit path from 'testu1.QE' to 'host/dhcp207-218.testrelm.test' via 'ADTEST.QE'
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: BAD_TRANSIT: authtime 1393509513,  testu1.QE for host/dhcp207-218.testrelm.test, KDC policy rejects request
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): bad realm transit path from 'testu1.QE' to 'host/dhcp207-218.testrelm.test' via 'ADTEST.QE'
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: BAD_TRANSIT: authtime 1393509513,  testu1.QE for host/dhcp207-218.testrelm.test, KDC policy rejects request
Feb 27 19:28:32 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12

--------------------------------------------
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test for ldap/dhcp207-218.testrelm.test
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: HTTP/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:29:10 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509550, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: host/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509671, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ: issuing TGT krbtgt/ADTEST.QE
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509671, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test for krbtgt/ADTEST.QE
Feb 27 19:31:11 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:31:15 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509676, etypes {rep=18 tkt=18 ses=18}, testu1.QE for host/dhcp207-218.testrelm.test
Feb 27 19:31:15 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: host/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509677, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509677, etypes {rep=18 tkt=18 ses=18}, host/dhcp207-218.testrelm.test for krbtgt/ADTEST.QE
Feb 27 19:31:17 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12

--------------------------------------
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393508786, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test for ldap/dhcp207-218.testrelm.test
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): ... CONSTRAINED-DELEGATION s4u-client=admin
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: NEEDED_PREAUTH: HTTP/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST, Additional pre-authentication required
Feb 27 19:31:45 dhcp207-218.testrelm.test krb5kdc[3508](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509705, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp207-218.testrelm.test for krbtgt/TESTRELM.TEST
Feb 27 19:33:58 dhcp207-218.testrelm.test krb5kdc[3508](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.65.207.218: ISSUE: authtime 1393509838, etypes {rep=18 tkt=18 ses=18}, testu1.QE for host/dhcp207-218.testrelm.test
Feb 27 19:33:58 dhcp207-218.testrelm.test krb5kdc[3508](info): closing down fd 12
}}}

Comment 1 Scott Poore 2014-03-03 21:20:29 UTC
Testing, a dev patch...

looks good:

[root@rhel7-1 kdb]# cp ipadb.so ipadb.so.orig

[root@rhel7-1 kdb]# cp /root/ipadb.so .
cp: overwrite ‘./ipadb.so’? y

[root@rhel7-1 kdb]# ipactl restart
Restarting Directory Service
    debugging enabled, suppressing output.
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful

[root@rhel7-1 kdb]# ipa trustdomain-find ad2.example.test
  Domain name: ad2.example.test
  Domain NetBIOS name: AD2
  Domain Security Identifier: S-1-5-21-1515602834-2930230041-3336973146
  Domain enabled: True

  Domain name: cdom2.ad2.example.test
  Domain NetBIOS name: CDOM2
  Domain Security Identifier: S-1-5-21-2684615734-2948224993-1064351119
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

[root@rhel7-1 kdb]# kdestroy -A

[root@rhel7-1 kdb]# kinit Administrator.EXAMPLE.TEST
Password for Administrator.EXAMPLE.TEST: 

[root@rhel7-1 kdb]# kvno host/$(hostname)
host/rhel7-1.ipa1.example.test.TEST: kvno = 2

[root@rhel7-1 kdb]# ssh -o StrictHostKeyChecking=no -l Administrator.example.test $(hostname)
Could not chdir to home directory /home/cdom2.ad2.example.test/Administrator: No such file or directory
-sh-4.2$ exit
logout
Connection to rhel7-1.ipa1.example.test closed.

[root@rhel7-1 kdb]# ssh -o StrictHostKeyChecking=no -l Administrator.example.test $(hostname) echo 'login succeeded'
login succeeded

[root@rhel7-1 kdb]# ipa trustdomain-disable ad2.example.test cdom2.ad2.example.test
ipa: ERROR: cannot connect to 'any of the configured servers': https://rhel7-1.ipa1.example.test/ipa/xml, https://rhel7-2.ipa1.example.test/ipa/xml

[root@rhel7-1 kdb]# kdestroy -A

[root@rhel7-1 kdb]# kinit admin
Password for admin.TEST: 

[root@rhel7-1 kdb]# ipa trustdomain-disable ad2.example.test cdom2.ad2.example.test
----------------------------------------------
Disabled trust domain "cdom2.ad2.example.test"
----------------------------------------------

[root@rhel7-1 kdb]# kdestroy -A

[root@rhel7-1 kdb]# kinit Administrator.EXAMPLE.TEST
Password for Administrator.EXAMPLE.TEST: 

[root@rhel7-1 kdb]# kvno host/$(hostname)
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/rhel7-1.ipa1.example.test.TEST

[root@rhel7-1 kdb]# ssh -o StrictHostKeyChecking=no -l Administrator.example.test $(hostname) echo 'login succeeded'
Administrator.exampl.example.test's password: 
Permission denied, please try again.
Administrator.exampl.example.test's password: 
Permission denied, please try again.
Administrator.exampl.example.test's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

So, it's blocking user access when the domain is disabled.

Comment 4 Martin Kosek 2014-03-06 11:26:52 UTC
Coverity found an issue in this patch. Upstream patch was filed:

https://fedorahosted.org/freeipa/ticket/4223

Comment 6 Steeve Goveas 2014-03-06 12:37:02 UTC
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trustdomain_cli_bz1070924: Access is not rejected for disabled domain bz1070924
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 19:38:34 ] ::  https://bugzilla.redhat.com/show_bug.cgi?id=1070924
  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.MEfh4TzOiL/tmpout.trustdomain_cli_bz1070924.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.MEfh4TzOiL/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain name: pune.adtest.qe' 
:: [   PASS   ] :: File '/tmp/tmp.MEfh4TzOiL/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain enabled: False' 
:: [   PASS   ] :: Running 'sleep 70' (Expected 0, got 0)
:: [ 19:39:46 ] ::  Running: ssh -l "testu1.qe" dell-pe830-01.testrelm.test "echo 'login successful'
:: [ 19:40:03 ] ::  ssh login failed
spawn ssh -o StrictHostKeyChecking=no -l testu1.qe dell-pe830-01.testrelm.test echo 'login successful'
testu1.qe.test's password: 
Permission denied, please try again.

testu1.qe.test's password: :: [   PASS   ] :: Running 'cat /tmp/tmpout.ssh_with_password' (Expected 0, got 0)
:: [   PASS   ] :: Running 'ssh_with_password testu1.qe dell-pe830-01.testrelm.test Secret123' (Expected 1, got 1)
:: [ 19:40:04 ] ::  execute expect file: /tmp/kinit.3270.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SecrUsing default cache: persistent:0:0
Using principal: admin
et123
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 19:40:05 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
'e4e250df-8325-4dfe-ad22-740b20119e75'
trustdomain-cli-bz1070924 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-19613115/journal.txt
    Info: Searching AVC errors produced since 1394066314.15 (Wed Mar  5 19:38:34 2014)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.O5Lf1T
:
   AvcLog: /mnt/testarea/tmp.O5Lf1T

Verified in version
ipa-server-3.3.3-20.el7.x86_64

Comment 7 Martin Kosek 2014-03-06 13:09:49 UTC
Steeve, could you please retest with ipa-3.3.3-21.el7? As I wrote in Comment 4 there was an issue reported by clang which we fixed along with a potential memory leak.

Comment 8 Steeve Goveas 2014-03-07 08:51:31 UTC
Verified it with version ipa-server-3.3.3-21.el7.x86_64

* Here is the test where ssh works before disabling subdomain pune.adtest.qe

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain name: pune.adtest.qe' 
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain enabled: True' 
:: [   PASS   ] :: bz1052973 fixed 
testu1.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1:
:: [   PASS   ] :: Running 'getent passwd testu1.qe' (Expected 0, got 0)
:: [ 13:01:44 ] ::  Running: ssh -l "testu1.qe" tyan-gt24-11.testrelm.test "echo 'login successful'
:: [ 13:01:54 ] ::  ssh login successful
:: [   PASS   ] :: Running 'ssh_with_password testu1.qe tyan-gt24-11.testrelm.test Secret123' (Expected 0, got 0)
:: [ 13:01:55 ] ::  execute expect file: /tmp/kinit.23224.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SecreUsing default cache: persistent:0:0
Using principal: admin
t123
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 13:01:55 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Running 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out 2>&1' (Expected 0, got 0)
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Disabled trust domain "pune.adtest.qe"' 
  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain name: pune.adtest.qe' 
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain enabled: False' 


* After disabling subdomain, the subdomain user is rejected access

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trustdomain_cli_bz1070924: Access is not rejected for disabled domain bz1070924
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 13:02:02 ] ::  https://bugzilla.redhat.com/show_bug.cgi?id=1070924
  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1070924.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain name: pune.adtest.qe' 
:: [   PASS   ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain enabled: False' 
:: [   PASS   ] :: Running 'sleep 70' (Expected 0, got 0)
:: [ 13:03:14 ] ::  Running: ssh -l "testu1.qe" tyan-gt24-11.testrelm.test "echo 'login successful'
:: [ 13:03:31 ] ::  ssh login failed
spawn ssh -o StrictHostKeyChecking=no -l testu1.qe tyan-gt24-11.testrelm.test echo 'login successful'
testu1.qe.test's password: 
Permission denied, please try again.

testu1.qe.test's password: :: [   PASS   ] :: Running 'cat /tmp/tmpout.ssh_with_password' (Expected 0, got 0)
:: [   PASS   ] :: Running 'ssh_with_password testu1.qe tyan-gt24-11.testrelm.test Secret123' (Expected 1, got 1)
:: [ 13:03:31 ] ::  execute expect file: /tmp/kinit.15432.exp

set timeout 30
set force_conservative 0 
set send_slow {1 .001} 
spawn /usr/bin/kinit -V admin
expect Password for *
send -s -- Secret123\r
expect eof 
spawn /usr/bin/kinit -V admin
SecrUsing default cache: persistent:0:0
Using principal: admin
et123
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 13:03:32 ] ::  Success: kinit as [admin] with password [Secret123] was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
'3527f4ae-0d5a-4069-be31-64f4b5b7186f'
trustdomain-cli-bz1070924 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-19633121/journal.txt
    Info: Searching AVC errors produced since 1394128922.63 (Thu Mar  6 13:02:02 2014)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.BzxdNy
:
   AvcLog: /mnt/testarea/tmp.BzxdNy

Comment 9 Ludek Smid 2014-06-13 09:59:54 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.