Bug 1399680 - two-way trust-add fails intermittently
Summary: two-way trust-add fails intermittently
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Martin Babinsky
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 14:47 UTC by Varun Mylaraiah
Modified: 2017-01-12 13:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-12 13:48:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
pass.txt (171.98 KB, text/plain)
2016-11-29 14:47 UTC, Varun Mylaraiah 		no flags Details
fail.txt (133.29 KB, text/plain)
2016-11-29 14:48 UTC, Varun Mylaraiah 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Varun Mylaraiah 2016-11-29 14:47:40 UTC 
Created attachment 1225881 [details]
pass.txt

Description of problem:
two-way trust-add fails intermittently, not sure what is the potential reason behind that.

Version-Release number of selected component (if applicable):


How reproducible:
Every now and then, Not able to backtrack with proper reproduction steps.

Important note:
===============
Tried running automation scripts multiple times on the same AD environments with different beaker/local vm's and the results are not consistent.
Please find the attached log's for both pass and fail results below.  **Please note that, it is the same AD environment**

Result logs:
============
1. Passed ==> pass.txt
2. Failed ==> fail.txt

Pass Result Snippet:
====================
:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True'
---------------------------------------------------
Added Active Directory trust for realm "adtest2.qe"
---------------------------------------------------
  Realm name: adtest2.qe
  Domain NetBIOS name: ADTEST2
  Domain Security Identifier: S-1-5-21-1869981227-3608374679-2281468898
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 0)
....

Fail Result Snippet:
=====================
:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True'
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
:: [   FAIL   ] :: Command 'echo Secret123 | ipa trust-add adtest2.qe --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 1)
Comment 1 Varun Mylaraiah 2016-11-29 14:48:12 UTC 
Created attachment 1225882 [details]
fail.txt
Comment 2 Martin Babinsky 2016-11-30 09:17:32 UTC 
The error message gives a hint why it is failing:

"""
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue
"""

There is probably a DNS misconfiguration at AD side and it can not resolve IPA master SRV records.

You can get more info about the issue by adding `log level = 100` in /usr/share/ipa/sm.conf.empty after ipa-adtrust-install, re-starting smbd.service and looking into apache error log after trust-add.

You can also run nslookup on AD DC to resolve _ldap._tcp SRV records in IPA domain:

> nslookup.exe
> set type=srv
> _ldap._tcp.<IPA-REALM>
Comment 8 Petr Vobornik 2017-01-11 09:49:44 UTC 
Bump
Comment 9 Varun Mylaraiah 2017-01-12 13:48:42 UTC 
Not able to reproduce this bug now. will reopen if it is reproduced again
Note You need to log in before you can comment on or make changes to this bug.