Bug 1355753 - adding two way non transitive(external) trust displays internal error on the console
Summary: adding two way non transitive(external) trust displays internal error on the ...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords: TestBlocker
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-12 12:38 UTC by Sudhir Menon
Modified: 2016-11-04 05:57 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:57:36 UTC


Attachments (Terms of Use)
error log (156.65 KB, text/plain)
2016-07-12 12:38 UTC, Sudhir Menon
no flags Details
ipa-server install log (11.90 KB, text/plain)
2016-07-12 12:59 UTC, Sudhir Menon
no flags Details
ipa-adtrust-install (3.15 KB, text/plain)
2016-07-12 13:00 UTC, Sudhir Menon
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-12 12:38:13 UTC
Created attachment 1178890 [details]
error log

Description of problem: adding two way transitive trust gives internal error on the console


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.4.0-1.el7.x86_64
ipa-server-dns-4.4.0-1.el7.noarch
ipa-server-common-4.4.0-1.el7.noarch
ipa-server-4.4.0-1.el7.x86_64


How reproducible: Always.

Steps to Reproduce:
1. Install ipa-server
2. ipa-adtrust-install 
3. add forward-zone for the domain to be trusted.
4. now add two-way trust

[root@server]# ipa trust-add test.qa --external='true' --two-way=true 

Actual results:

[root@server]# ipa trust-add test.qa --external='true' --two-way=true 
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
ipa: ERROR: an internal error has occurred

[root@server ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
----------------------------
Number of entries returned 1
----------------------------

[root@server ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: TEST.QA_id_range
  First Posix ID of the range: 330800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-4204873575-1158510886-1449965812
  Range type: Active Directory domain range

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 160600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

Expected results:
Although the trust gets added successfully the message
displayed on the console should be fixed.

Additional info: Attaching httpd error_log file

Comment 1 Sudhir Menon 2016-07-12 12:49:04 UTC
The issue is while adding two way non transitive (external) trust which gives internal error on the console

Comment 3 Sudhir Menon 2016-07-12 12:59 UTC
Created attachment 1178901 [details]
ipa-server install log

Comment 4 Sudhir Menon 2016-07-12 13:00 UTC
Created attachment 1178902 [details]
ipa-adtrust-install

Comment 5 Petr Vobornik 2016-07-12 15:32:59 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6057

Comment 6 Sudhir Menon 2016-07-13 08:39:46 UTC
Message displayed on the UI.
IPA Error 903: InternalError : an internal error has occurred

Comment 8 Martin Babinsky 2016-09-05 07:22:28 UTC
master:
* 33f8685513e06f6a398036a78407d61c3ac2db86 Always fetch forest info from root DCs when establishing two-way trust
* c789b17b2e28ed9008fee076a0db72fe90f7e93f factor out `populate_remote_domain` method into module-level function
* 4ca671788cc54a00de6a55a2529df6126da14d88 Always fetch forest info from root DCs when establishing one-way trust
ipa-4-4:
* 58513d3b2a72b6c15bdf5676ed63d6eb74f36ed7 Always fetch forest info from root DCs when establishing two-way trust
* 034b78e320e4868e4dee520690bb49fefc242cde factor out `populate_remote_domain` method into module-level function
* a532edf97337a80b0777fb00cc1b9e57ef8cf487 Always fetch forest info from root DCs when establishing one-way trust

Comment 10 Sudhir Menon 2016-09-14 12:31:23 UTC
Fix is seen. Verified on RHEL7.3 using

ipa-server-4.4.0-10.el7.x86_64
ipa-server-trust-ad-4.4.0-10.el7.x86_64


[root@master ~]# ipa trust-add test.qa --external='true' --two-way=true 
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
----------------------------------------
Re-established trust to domain "test.qa"
----------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@master ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: TEST.QA_id_range
  First Posix ID of the range: 330800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-4204873575-1158510886-1449965812
  Range type: Active Directory domain range

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 1306000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

Comment 12 errata-xmlrpc 2016-11-04 05:57:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.