1250192 – Error in ipa trust-fecth-domains

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1250192 - Error in ipa trust-fecth-domains

Summary: Error in ipa trust-fecth-domains

Keywords:
Status:	CLOSED DUPLICATE of bug 1250190
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-04 17:14 UTC by Steeve Goveas
Modified:	2015-09-01 07:42 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.2.0-4.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-18 17:01:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
trust-fetch-domain that Alexander fixed (8.40 KB, text/x-python) 2015-08-12 16:51 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Steeve Goveas 2015-08-04 17:14:30 UTC

Description of problem:
[root@vm-idm-014 ~]# ipa trust-fetch-domains
Realm name: adtest.qe
ipa: ERROR: an internal error has occurred

Version-Release number of selected component (if applicable):
[root@vm-idm-014 ~]# rpm -q ipa-server sssd
ipa-server-4.2.0-3.el7.x86_64
sssd-1.13.0-11.el7.x86_64

Comment 2 Jan Cholasta 2015-08-05 05:27:15 UTC

Steeve, there should be a traceback in /var/log/httpd/error_log, could you please paste it here?

Comment 3 Steeve Goveas 2015-08-05 14:35:00 UTC

Jan, here is the traceback from /var/log/httpd/error_log

[Wed Aug 05 20:03:14.893060 2015] [:error] [pid 2932] ipa: INFO: [jsonserver_kerb] admin: ping(): SUCCESS
[Wed Aug 05 20:03:19.139255 2015] [:error] [pid 2931] ipa: ERROR: non-public: TypeError: unsupported operand type(s) for &: 'list' and 'int'
[Wed Aug 05 20:03:19.139306 2015] [:error] [pid 2931] Traceback (most recent call last):
[Wed Aug 05 20:03:19.139315 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute
[Wed Aug 05 20:03:19.139321 2015] [:error] [pid 2931]     result = self.Command[name](*args, **options)
[Wed Aug 05 20:03:19.139328 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__
[Wed Aug 05 20:03:19.139338 2015] [:error] [pid 2931]     ret = self.run(*args, **options)
[Wed Aug 05 20:03:19.139347 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 760, in run
[Wed Aug 05 20:03:19.139356 2015] [:error] [pid 2931]     return self.execute(*args, **options)
[Wed Aug 05 20:03:19.139365 2015] [:error] [pid 2931]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 1490, in execute
[Wed Aug 05 20:03:19.139375 2015] [:error] [pid 2931]     if trust['ipanttrustdirection'] & TRUST_BIDIRECTIONAL != TRUST_BIDIRECTIONAL:
[Wed Aug 05 20:03:19.139383 2015] [:error] [pid 2931] TypeError: unsupported operand type(s) for &: 'list' and 'int'
[Wed Aug 05 20:03:19.139872 2015] [:error] [pid 2931] ipa: INFO: [jsonserver_kerb] admin: trust_fetch_domains(u'adtest.qe', rights=False, all=False, raw=False, version=u'2.147'): TypeError

Comment 4 Jan Cholasta 2015-08-06 05:35:11 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5182

Comment 5 Jan Cholasta 2015-08-06 05:36:30 UTC

Thanks. It looks like there already is a patch for this at freeipa-devel.

Comment 6 Tomas Babej 2015-08-06 08:18:50 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7688bbcc33eb24a86ede7dc12ea9c64a27006aa8
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/2812242df4fefcb6567dc3a117b5e55a3211de92

Comment 8 Scott Poore 2015-08-12 16:48:00 UTC

I can see this work for two-way trusts (--two-way=True) but, I'm still seeing issues with one-way trusts:

[root@vm-idm-011 log]# echo Secret123 | ipa -d trust-add adtest.qe --admin Administrator --password  
...cutting out the debugging output...
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
                          S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1,
                          S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
                          S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
                          S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13,
                          S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1,
                          S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@vm-idm-011 log]# ipa idrange-show PUNE.ADTEST.QE_id_range
ipa: ERROR: PUNE.ADTEST.QE_id_range: range not found

[root@vm-idm-011 log]# ipa trust-fetch-domains adtest.qe
s adtest.qe
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@vm-idm-011 log]#  ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------

Comment 9 Scott Poore 2015-08-12 16:51:52 UTC

Created attachment 1062115 [details]
trust-fetch-domain that Alexander fixed

Attaching the fixed version of trust-fetch-domain that Alexander Bokovoy provided.

Comment 10 Alexander Bokovoy 2015-08-16 09:58:34 UTC

I suspect we should close this bug and continue work on a unidirectional trust in bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190, there is no need to keep two bugs to the same cause anymore.

Comment 11 Scott Poore 2015-08-17 22:19:54 UTC

Sure, that works for me.  Just mark it as duplicate of 1250190?

Steeve, any reason not to do that?

Comment 12 Petr Vobornik 2015-08-18 17:01:33 UTC

marking as duplicate as suggested in comment 10 and comment 11

*** This bug has been marked as a duplicate of bug 1250190 ***

Note You need to log in before you can comment on or make changes to this bug.