1250190 – idrange is not added for sub domain

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1250190 - idrange is not added for sub domain

Summary: idrange is not added for sub domain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1250192 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-04 17:11 UTC by Steeve Goveas
Modified:	2015-11-19 12:05 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.2.0-6.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 12:05:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
FedoraHosted FreeIPA	5182	0	None	None	None	Never
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Steeve Goveas 2015-08-04 17:11:57 UTC

Description of problem:
When trust is added ipa idrange for AD subdomain is not added

Version-Release number of selected component (if applicable):
[root@vm-idm-014 ~]# rpm -q ipa-server sssd
ipa-server-4.2.0-3.el7.x86_64
sssd-1.13.0-11.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Add trust from IPA server with root AD having a child domain

Actual results:
[root@vm-idm-014 ~]# echo Secret123| ipa trust-add  adtest.qe --admin Administrator --password 
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
                          S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
(reverse-i-search)`s': echo Secret123| ipa trust-add  adtest.qe --admin Administrator --pas^Cord 

* idrange for pune.adtest.qe is not addded

[root@vm-idm-014 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: STVIDRANGE.TEST_id_range
  First Posix ID of the range: 201000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-014 ~]# ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

Expected results:
idrange for child domain is added with trust add

Additional info:

Comment 2 Jan Cholasta 2015-08-05 05:52:32 UTC

Alexander, do you know what might be causing this?

Comment 3 Alexander Bokovoy 2015-08-05 18:01:36 UTC

Check audit.log for AVCs, if any. With IPA 4.2 we run over D-Bus a request to oddjobd-activated script that discovers the domains and it requires proper configuration of the SELinux policy.

Also add debugging to smb.conf.empty when establishing trust, to see communication happening.

Comment 4 Alexander Bokovoy 2015-08-05 18:24:37 UTC

Thanks to Tomas, here is the real reason why it wasn't called. Adding the upstream ticket.

Comment 7 Jan Cholasta 2015-08-06 05:37:06 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5182

Comment 9 Petr Vobornik 2015-08-12 11:07:43 UTC

should be fixed in bug 1250192

Comment 11 Alexander Bokovoy 2015-08-13 06:23:49 UTC

Not fixed, we found proper fix and reproducer yesterday with Scott. Moving to ASSIGNED.

Comment 12 Alexander Bokovoy 2015-08-13 06:48:58 UTC

The issue is in ipa-getkeytab adding key with the same principal and kvno to the TDO keytab instead of overwriting it. As result, /var/lib/sss/keytabs/<trust-forest-root>.keytab contains multiple entries with the same <kvno> <principal> pair and when kinit is performed against the keytab, libkrb5 selects first matching entry, it fails (because it belonged to older trust config which is not valid anymore) and breaks the oddjobd helper.

Comment 13 Alexander Bokovoy 2015-08-16 09:54:10 UTC

Patch is sent upstream: https://www.redhat.com/archives/freeipa-devel/2015-August/msg00255.html

Comment 15 Martin Bašti 2015-08-18 16:51:41 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3692a1c57f5d404a61a01623ef732234ccbbdffd
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/c30baa9bb9dfa5a5de7685e9203f3eae95dec22a

Comment 16 Petr Vobornik 2015-08-18 17:01:33 UTC

*** Bug 1250192 has been marked as a duplicate of this bug. ***

Comment 18 Scott Poore 2015-08-19 19:24:21 UTC

I'm still seeing errors here even with two-way=True:



:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1'
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1'
ipa: ERROR: PUNE.ADTEST.QE_id_range: range not found
:: [   PASS   ] :: Command 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.csLTq93zKc/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)

Comment 19 Scott Poore 2015-08-19 19:26:43 UTC

Created attachment 1064980 [details]
samba logs

Comment 20 Jan Cholasta 2015-08-24 10:30:25 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1255dbf2fde068787d711c1fb60946a254d1782c
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/e13a5ed26e96436d4a7ebb2329f7f9666581008d

Comment 22 Scott Poore 2015-08-26 18:17:59 UTC

Verified.

Version ::

ipa-server-4.2.0-7.el7.x86_64


Results ::


:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password --two-way=True' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1'
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1'
  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range
:: [   PASS   ] :: Command 'ipa idrange-show PUNE.ADTEST.QE_id_range | tee /tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.0syEuYP6oh/tmpout.idrange_cli_0013.out' should contain 'Range type: Active Directory domain range' 
:: [  BEGIN   ] :: Running 'systemctl stop sssd; rm -f /var/lib/sss/{db,mc}/*; systemctl start sssd'
:: [   PASS   ] :: Command 'systemctl stop sssd; rm -f /var/lib/sss/{db,mc}/*; systemctl start sssd' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 5'
:: [   PASS   ] :: Command 'sleep 5' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 20'
:: [   PASS   ] :: Command 'sleep 20' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent passwd aduser07'
aduser07:*:1148405487:1148405487:ads07 user:/home/adtest.qe/aduser07:
:: [   PASS   ] :: Command 'getent passwd aduser07' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'getent passwd subuser07.qe'
subuser07.qe:*:839001111:839001111:subuser07 user:/home/pune.adtest.qe/subuser07:
:: [   PASS   ] :: Command 'getent passwd subuser07.qe' (Expected 0, got 0)

Previously, the idrange-show and getent commands for PUNE.ADTEST.QE failed due to this bug.

Comment 23 errata-xmlrpc 2015-11-19 12:05:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.