Hide Forgot
Created attachment 1136230 [details] Logs Description of problem: ipa trust-find shows sub-domain is broken after successful trust-add And 'getent passwd <ADuser>' not return the user and #id as well Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.10.x86_64 How reproducible: 100% Steps to Reproduce: [root@apollo ~]# ipa trust-add --type=ad ipaad2008r2.test --range-type=ipa-ad-trust-posix --admin Administrator --password --two-way=true Active Directory domain administrator's password: --------------------------------------------------------- Added Active Directory trust for realm "ipaad2008r2.test" --------------------------------------------------------- Realm name: ipaad2008r2.test Domain NetBIOS name: IPAAD2008R2 Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@apollo ~]# ipa trust-find ipa: WARNING: Your trust to ipasub2008r2-1.ipaad2008r2.test is broken. Please re-create it by running 'ipa trust-add' again. ---------------- 2 trusts matched ---------------- Realm name: ipaad2008r2.test Domain NetBIOS name: IPAAD2008R2 Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237 Trust type: Active Directory domain Realm name: ipasub2008r2-1.ipaad2008r2.test Domain NetBIOS name: IPASUB2008R2-1 Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656 ---------------------------- Number of entries returned 2 ---------------------------- [root@apollo ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: IPAAD2008R2.TEST_id_range First Posix ID of the range: 175000000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-1765444267-4284514389-3232425237 Range type: Active Directory trust range with POSIX attributes Range name: TESTRELM.TEST_id_range First Posix ID of the range: 1674800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@apollo ~]# id tuser31416 id: tuser31416: no such user [root@apollo ~]# getent passwd tuser31416 [root@apollo ~]# ##################################################### [root@apollo ~]# kinit tuser31416 Password for tuser31416: [root@apollo ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_P0f4rrW Default principal: tuser31416 Valid starting Expires Service principal 2016-03-14T13:33:12 2016-03-14T23:33:12 krbtgt/IPAAD2008R2.TEST renew until 2016-03-15T13:33:08 Additional info: logs Attached
A regression?
This is a regression caused by patch for bug 1305533, and bug 1311470 (clone of 1305533). Let it be fixed there. *** This bug has been marked as a duplicate of bug 1305533 ***