1356899 – com.redhat.idm.trust.fetch_domains need update after thin client changes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1356899 - com.redhat.idm.trust.fetch_domains need update after thin client changes

Summary: com.redhat.idm.trust.fetch_domains need update after thin client changes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:	1361636
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-15 08:59 UTC by Sudhir Menon
Modified:	2016-11-04 05:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-4.4.0-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:58:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-15 08:59:39 UTC

Description of problem: com.redhat.idm.trust.fetch_domains need update after thin client changes


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.4.0-1.el7.x86_64
ipa-server-dns-4.4.0-1.el7.noarch
ipa-server-common-4.4.0-1.el7.noarch
ipa-server-4.4.0-1.el7.x86_64

How reproducible:Always

Steps to Reproduce:
1. Ensure selinux is disabled on the IPA_server
2. Install IPA server
3. Establish one-way trust with forest root domain e.g pne.qe
4. Ensure trust is established without any errors.
5. Now run the below command

oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

Actual results:
Traceback (most recent call last):
  File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 127, in <module>
    api.Backend.ldap2.connect(ccache_name)
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 330, in __getattr__
    raise AttributeError(key)
AttributeError: ldap2

Expected results: Fix the traceback.

Additional info: This issue was seen when testing UPN Suffixes which were not getting displayed using ipa trust-show command and the same was displayed for two-way trust.

[root@server samba]# ipa trust-show pne.qe
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Trusting forest
  Trust type: Active Directory domain

[root@server samba]# ipa trust-show pne.qe
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  UPN suffixes: qa.in, qa.io, qa.pne, qa.test, qa.org, test.qa

Comment 1 Petr Vobornik 2016-07-15 09:06:44 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6082

Comment 2 Martin Bašti 2016-07-19 12:12:42 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b144bf527db76573590255d4ac80e9dfd813ba3d

Comment 5 Martin Bašti 2016-07-29 14:43:51 UTC

I'll provide patch that fixing traceback on IPA side, but this is mainly SELinux issue.

It should raise: 'Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server' until SElinux policy is fixed.

Comment 6 Martin Bašti 2016-07-29 15:07:59 UTC

Because I see in steps to reproduce that SElinux should be disabled, do you know if there is selinux bug opened for this or should I open the one?

Comment 7 Martin Bašti 2016-07-29 15:11:39 UTC

Traceback fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c2edfa0adbc1a603a146aa44d73a4024e06063f0


I will open separate BZ for SElinux

Comment 9 Sudhir Menon 2016-08-09 17:51:16 UTC

Martin,

Here are the observations with the below rpms.

ipa-server-4.4.0-5.el7.x86_64

1. With SELinux in enforcing mode the issue is still seen.
Depends on BZ1361636  to be fixed.

[root@master network-scripts]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
com.redhat.oddjob.Error.Exec: Child signalled exec() error: Permission denied

2. With SELinux in permissive mode the traceback is still seen although the message as mentioned in comment #5 does appear.

[root@ipaserver ~]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
Traceback (most recent call last):
  File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 174, in <module>
    trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1684, in add_new_domains_from_trust
    trust_name, name, **dom)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 435, in add_range
    ipanttrusteddomainsid=dom_sid)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1181, in execute
    *keys, **options)
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/idrange.py", line 468, in pre_callback
    entry_attrs['ipanttrusteddomainsid'])
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/idrange.py", line 341, in validate_trusted_domain_sid
    domain_validator = self.get_domain_validator()
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/idrange.py", line 326, in get_domain_validator
    raise errors.NotFound(reason=_('Cannot perform SID validation '
ipalib.errors.NotFound: Cannot perform SID validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server

Comment 10 Martin Bašti 2016-08-10 10:10:34 UTC

As I wrote in comment #5, until SElinux-policy is not fixed you will see tracebacks. Please retest when bz1361636 will be fixed.

Comment 11 Sudhir Menon 2016-08-11 07:53:54 UTC

Observation:

The traceback has been fixed, however there is error displayed when the 'oddjob_request' command is run permissive mode. So have reopened bz1361636. 
Once that is fixed, will close this bug.

[root@master ~]# getenforce 
Enforcing
[root@master ~]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

[root@master ~]# setenforce 0
[root@master ~]# getenforce 
Permissive
[root@master ~]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe
com.redhat.oddjob.Error.Exec: Child signalled exec() error: error setting helper execution SELinux context.

===audit.log===
type=SYSCALL msg=audit(1470901858.780:305): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=7f6b7e0f7f90 a2=5a a3=7ffe7b6caa30 items=0 ppid=9517 pid=10197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
type=MAC_STATUS msg=audit(1470901885.109:306): enforcing=0 old_enforcing=1 auid=0 ses=1
type=SYSCALL msg=audit(1470901885.109:306): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7ffef4c81680 a2=1 a3=7ffef4c81400 items=0 ppid=2037 pid=10200 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1470901896.398:307): op=security_compute_sid invalid_context=unconfined_u:unconfined_r:ipa_helper_t:s0-s0:c0.c1023 scontext=unconfined_u:unconfined_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ipa_helper_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1470901896.398:307): arch=c000003e syscall=1 success=yes exit=90 a0=4 a1=7f6b7e0f7f90 a2=5a a3=7ffe7b6caa30 items=0 ppid=9517 pid=10203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)

Comment 12 Sudhir Menon 2016-08-17 17:46:27 UTC

Observations:

1. Traceback message is fixed when oddjob_request command is run
2. There is no more error displayed when the 'oddjob_request' command is run permissive mode.

Verified on RHEL7.3 using 
ipa-server-4.4.0-7.el7.x86_64
libselinux-2.5-5.el7.x86_64
selinux-policy-3.13.1-94.el7.noarch
selinux-policy-targeted-3.13.1-94.el7.noarch

[root@ipaserver abrt]# getenforce 
Enforcing
[root@ipaserver abrt]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

[root@ipaserver abrt]# setenforce 0
[root@ipaserver abrt]# getenforce 
Permissive

[root@ipaserver abrt]# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains pne.qe

Comment 14 errata-xmlrpc 2016-11-04 05:58:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.