Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1070926

Summary: wrong error message is returned when there are no permissions to re-create trust
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: rcritten, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-20.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:25:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2014-02-27 18:31:18 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4202

If trust was created and then we attempt to re-establish it with AD admin credentials that don't have enough privileges, we'll fail -- either at the attempt to delete previously created trust or at the attempt to create new trust.

When we delete existing trust, we silence any exception and don't see NT_STATUS_ACCESS_DENIED, so there will be name collision when we would next create the trust with the same name:
{{{
# echo Test1234 | ipa trust-add ad.test --admin abbra --passwordipa: ERROR: CIFS server communication error: code "-1073741771",
                  message "NT_STATUS_OBJECT_NAME_COLLISION" (both may be "None")
}}}

Actual cause for this collision is access denial at the trust delete stage, so we need to report proper error message by catching proper exception.
Comment 1 Martin Kosek 2014-02-28 08:25:23 UTC 
Fixed upstream:

master:
3a7ba6013ffe43176bcff2c716b33552853847ff ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust

ipa-3-3:
42108d1c0dc552e5dbc249507bfe59a1ef1d4c8e ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust
Comment 3 Steeve Goveas 2014-03-06 12:56:15 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trust_cli_bz1070926: Give user with no administrator rights for --admin option bz1070926
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:06:03 ] ::  https://bugzilla.redhat.com/show_bug.cgi?id=1070926
:: [ 07:06:03 ] ::  bz1070926: wrong error message is returned when there are no permissions to re-create trust

MARK-LWD-LOOP -- 2014-03-06 07:06:04 --
sAMAccountName: aduser1
:: [   PASS   ] :: aduser1 exists on AD (Expected 0, got 0)
:: [   PASS   ] :: aduser1 not a member of administrators group (Expected 1, got 1)
:: [   PASS   ] :: Running 'echo Secret123 | ipa trust-add --type=ad adtest.qe --admin aduser1 --password > /tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926.out 2>&1' (Expected 1, got 1)
ipa: ERROR: Insufficient access: CIFS server denied your credentials
:: [   PASS   ] :: File '/tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926.out' should contain 'ipa: ERROR: Insufficient access: CIFS server denied your credentials' 
:: [   PASS   ] :: Running 'echo -e "adtest.qe\nSecret123" | ipa trust-add --type=ad --admin aduser1 --password > /tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926.out 2>&1' (Expected 1, got 1)
ipa: ERROR: Insufficient access: CIFS server denied your credentials
Realm name: :: [   PASS   ] :: File '/tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926.out' should contain 'ipa: ERROR: Insufficient access: CIFS server denied your credentials' 
'91b961da-f3e9-4180-9dfa-3454f910bf7a'
trust-cli-bz1070926 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-19626433/journal.txt
    Info: Searching AVC errors produced since 1394107563.37 (Thu Mar  6 07:06:03 2014)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.bEyQaN
:
   AvcLog: /mnt/testarea/tmp.bEyQaN



::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trust_cli_bz1070926_2: User with no administrator rights for --admin to re-create trust bz1070926
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:08:21 ] ::  https://bugzilla.redhat.com/show_bug.cgi?id=1070926
:: [ 07:08:21 ] ::  bz1070926: wrong error message is returned when there are no permissions to re-create trust
sAMAccountName: aduser1
:: [   PASS   ] :: aduser1 exists on AD (Expected 0, got 0)
:: [   PASS   ] :: aduser1 not a member of administrators group (Expected 1, got 1)
:: [   PASS   ] :: Running 'echo Secret123 | ipa trust-add --type=ad adtest.qe --admin aduser1 --password > /tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926_2.out 2>&1' (Expected 1, got 1)
ipa: ERROR: Insufficient access: CIFS server denied your credentials
:: [   PASS   ] :: File '/tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926_2.out' should contain 'ipa: ERROR: Insufficient access: CIFS server denied your credentials' 
:: [   PASS   ] :: Running 'echo -e "adtest.qe\nSecret123" | ipa trust-add --type=ad --admin aduser1 --password > /tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926_2.out 2>&1' (Expected 1, got 1)
ipa: ERROR: Insufficient access: CIFS server denied your credentials
Realm name: :: [   PASS   ] :: File '/tmp/tmp.nMaArKpzeo/tmpout.trust_cli_bz1070926_2.out' should contain 'ipa: ERROR: Insufficient access: CIFS server denied your credentials' 
'e6308632-82c5-43fc-a161-9933711483e5'
trust-cli-bz1070926-2 result: PASS
   metric: 0
   Log: /var/tmp/beakerlib-19626433/journal.txt
    Info: Searching AVC errors produced since 1394107701.32 (Thu Mar  6 07:08:21 2014)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.bEyQaN
:
   AvcLog: /mnt/testarea/tmp.bEyQaN

Verified in Version
ipa-server-3.3.3-20.el7.x86_64
Comment 4 Ludek Smid 2014-06-13 13:25:32 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.