Bug 1250192 - Error in ipa trust-fecth-domains
Error in ipa trust-fecth-domains
Status: CLOSED DUPLICATE of bug 1250190
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-04 13:14 EDT by Steeve Goveas
Modified: 2015-09-01 03:42 EDT (History)
9 users (show)

See Also:
Fixed In Version: ipa-4.2.0-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-18 13:01:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
trust-fetch-domain that Alexander fixed (8.40 KB, text/x-python)
2015-08-12 12:51 EDT, Scott Poore
no flags Details

  None (edit)
Description Steeve Goveas 2015-08-04 13:14:30 EDT
Description of problem:
[root@vm-idm-014 ~]# ipa trust-fetch-domains
Realm name: adtest.qe
ipa: ERROR: an internal error has occurred

Version-Release number of selected component (if applicable):
[root@vm-idm-014 ~]# rpm -q ipa-server sssd
ipa-server-4.2.0-3.el7.x86_64
sssd-1.13.0-11.el7.x86_64
Comment 2 Jan Cholasta 2015-08-05 01:27:15 EDT
Steeve, there should be a traceback in /var/log/httpd/error_log, could you please paste it here?
Comment 3 Steeve Goveas 2015-08-05 10:35:00 EDT
Jan, here is the traceback from /var/log/httpd/error_log

[Wed Aug 05 20:03:14.893060 2015] [:error] [pid 2932] ipa: INFO: [jsonserver_kerb] admin@STVIDRANGE.TEST: ping(): SUCCESS
[Wed Aug 05 20:03:19.139255 2015] [:error] [pid 2931] ipa: ERROR: non-public: TypeError: unsupported operand type(s) for &: 'list' and 'int'
[Wed Aug 05 20:03:19.139306 2015] [:error] [pid 2931] Traceback (most recent call last):
[Wed Aug 05 20:03:19.139315 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute
[Wed Aug 05 20:03:19.139321 2015] [:error] [pid 2931]     result = self.Command[name](*args, **options)
[Wed Aug 05 20:03:19.139328 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
[Wed Aug 05 20:03:19.139338 2015] [:error] [pid 2931]     ret = self.run(*args, **options)
[Wed Aug 05 20:03:19.139347 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run
[Wed Aug 05 20:03:19.139356 2015] [:error] [pid 2931]     return self.execute(*args, **options)
[Wed Aug 05 20:03:19.139365 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 1490, in execute
[Wed Aug 05 20:03:19.139375 2015] [:error] [pid 2931]     if trust['ipanttrustdirection'] & TRUST_BIDIRECTIONAL != TRUST_BIDIRECTIONAL:
[Wed Aug 05 20:03:19.139383 2015] [:error] [pid 2931] TypeError: unsupported operand type(s) for &: 'list' and 'int'
[Wed Aug 05 20:03:19.139872 2015] [:error] [pid 2931] ipa: INFO: [jsonserver_kerb] admin@STVIDRANGE.TEST: trust_fetch_domains(u'adtest.qe', rights=False, all=False, raw=False, version=u'2.147'): TypeError
Comment 4 Jan Cholasta 2015-08-06 01:35:11 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5182
Comment 5 Jan Cholasta 2015-08-06 01:36:30 EDT
Thanks. It looks like there already is a patch for this at freeipa-devel.
Comment 8 Scott Poore 2015-08-12 12:48:00 EDT
I can see this work for two-way trusts (--two-way=True) but, I'm still seeing issues with one-way trusts:

[root@vm-idm-011 log]# echo Secret123 | ipa -d trust-add adtest.qe --admin Administrator --password  
...cutting out the debugging output...
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
                          S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1,
                          S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
                          S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1,
                          S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@vm-idm-011 log]# ipa idrange-show PUNE.ADTEST.QE_id_range
ipa: ERROR: PUNE.ADTEST.QE_id_range: range not found

[root@vm-idm-011 log]# ipa trust-fetch-domains adtest.qe
s adtest.qe
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@vm-idm-011 log]#  ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
Comment 9 Scott Poore 2015-08-12 12:51:52 EDT
Created attachment 1062115 [details]
trust-fetch-domain that Alexander fixed

Attaching the fixed version of trust-fetch-domain that Alexander Bokovoy provided.
Comment 10 Alexander Bokovoy 2015-08-16 05:58:34 EDT
I suspect we should close this bug and continue work on a unidirectional trust in bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190, there is no need to keep two bugs to the same cause anymore.
Comment 11 Scott Poore 2015-08-17 18:19:54 EDT
Sure, that works for me.  Just mark it as duplicate of 1250190?

Steeve, any reason not to do that?
Comment 12 Petr Vobornik 2015-08-18 13:01:33 EDT
marking as duplicate as suggested in comment 10 and comment 11

*** This bug has been marked as a duplicate of bug 1250190 ***

Note You need to log in before you can comment on or make changes to this bug.