Bug 1250190 - idrange is not added for sub domain
idrange is not added for sub domain
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: Regression, TestBlocker
: 1250192 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-04 13:11 EDT by Steeve Goveas
Modified: 2015-11-19 07:05 EST (History)
8 users (show)

See Also:
Fixed In Version: ipa-4.2.0-6.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:05:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
FedoraHosted FreeIPA 5182 None None None Never

  None (edit)
Description Steeve Goveas 2015-08-04 13:11:57 EDT
Description of problem:
When trust is added ipa idrange for AD subdomain is not added

Version-Release number of selected component (if applicable):
[root@vm-idm-014 ~]# rpm -q ipa-server sssd
ipa-server-4.2.0-3.el7.x86_64
sssd-1.13.0-11.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Add trust from IPA server with root AD having a child domain

Actual results:
[root@vm-idm-014 ~]# echo Secret123| ipa trust-add  adtest.qe --admin Administrator --password 
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
(reverse-i-search)`s': echo Secret123| ipa trust-add  adtest.qe --admin Administrator --pas^Cord 

* idrange for pune.adtest.qe is not addded

[root@vm-idm-014 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: STVIDRANGE.TEST_id_range
  First Posix ID of the range: 201000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-014 ~]# ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Expected results:
idrange for child domain is added with trust add

Additional info:
Comment 2 Jan Cholasta 2015-08-05 01:52:32 EDT
Alexander, do you know what might be causing this?
Comment 3 Alexander Bokovoy 2015-08-05 14:01:36 EDT
Check audit.log for AVCs, if any. With IPA 4.2 we run over D-Bus a request to oddjobd-activated script that discovers the domains and it requires proper configuration of the SELinux policy.

Also add debugging to smb.conf.empty when establishing trust, to see communication happening.
Comment 4 Alexander Bokovoy 2015-08-05 14:24:37 EDT
Thanks to Tomas, here is the real reason why it wasn't called. Adding the upstream ticket.
Comment 7 Jan Cholasta 2015-08-06 01:37:06 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5182
Comment 9 Petr Vobornik 2015-08-12 07:07:43 EDT
should be fixed in bug 1250192
Comment 11 Alexander Bokovoy 2015-08-13 02:23:49 EDT
Not fixed, we found proper fix and reproducer yesterday with Scott. Moving to ASSIGNED.
Comment 12 Alexander Bokovoy 2015-08-13 02:48:58 EDT
The issue is in ipa-getkeytab adding key with the same principal and kvno to the TDO keytab instead of overwriting it. As result, /var/lib/sss/keytabs/<trust-forest-root>.keytab contains multiple entries with the same <kvno> <principal> pair and when kinit is performed against the keytab, libkrb5 selects first matching entry, it fails (because it belonged to older trust config which is not valid anymore) and breaks the oddjobd helper.
Comment 13 Alexander Bokovoy 2015-08-16 05:54:10 EDT
Patch is sent upstream: https://www.redhat.com/archives/freeipa-devel/2015-August/msg00255.html
Comment 16 Petr Vobornik 2015-08-18 13:01:33 EDT
*** Bug 1250192 has been marked as a duplicate of this bug. ***
Comment 18 Scott Poore 2015-08-19 15:24:21 EDT
I'm still seeing errors here even with two-way=True:



:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1'
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1'
ipa: ERROR: PUNE.ADTEST.QE_id_range: range not found
:: [   PASS   ] :: Command 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
Comment 19 Scott Poore 2015-08-19 15:26:43 EDT
Created attachment 1064980 [details]
samba logs
Comment 22 Scott Poore 2015-08-26 14:17:59 EDT
Verified.

Version ::

ipa-server-4.2.0-7.el7.x86_64


Results ::


:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1'
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1'
  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'systemctl stop sssd; rm -f /var/lib/sss/{db,mc}/*; systemctl start sssd'
:: [   PASS   ] :: Command 'systemctl stop sssd; rm -f /var/lib/sss/{db,mc}/*; systemctl start sssd' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 5'
:: [   PASS   ] :: Command 'sleep 5' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 20'
:: [   PASS   ] :: Command 'sleep 20' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent passwd aduser07@adtest.qe'
aduser07@adtest.qe:*:1148405487:1148405487:ads07 user:/home/adtest.qe/aduser07:
:: [   PASS   ] :: Command 'getent passwd aduser07@adtest.qe' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent passwd subuser07@pune.adtest.qe'
subuser07@pune.adtest.qe:*:839001111:839001111:subuser07 user:/home/pune.adtest.qe/subuser07:
:: [   PASS   ] :: Command 'getent passwd subuser07@pune.adtest.qe' (Expected 0, got 0)

Previously, the idrange-show and getent commands for PUNE.ADTEST.QE failed due to this bug.
Comment 23 errata-xmlrpc 2015-11-19 07:05:03 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.