Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1438366 - ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing cred...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Sudhir Menon
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-03 04:45 EDT by Sudhir Menon
Modified: 2017-08-01 05:47 EDT (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.5.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:47:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 08:41:35 EDT

  None (edit)
Description Sudhir Menon 2017-04-03 04:45:11 EDT 
Description of problem: ipa trust-fetch-domains command displays 'ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication'

Version-Release number of selected component (if applicable):
ipa-server-dns-4.5.0-4.el7.noarch
ipa-server-trust-ad-4.5.0-4.el7.x86_64
ipa-server-common-4.5.0-4.el7.noarch
ipa-server-4.5.0-4.el7.x86_64
samba-4.6.2-0.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Add trust
[root@autohv01 ~]# ipa trust-add --two-way=true

2. ipa trustdomain-find
[root@autohv01 ~]# ipa trustdomain-find ipaad2008r2.test
  Domain name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Domain enabled: True
 
  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

3.ipa trustdomain-disable ipaad2008r2.test ipasub2008r2-1.ipaad2008r2.test
-------------------------------------------------------
Disabled trust domain "ipasub2008r2-1.ipaad2008r2.test"
-------------------------------------------------------
  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------

4. [root@autohv01 ~]# ipa trust-fetch-domains ipaad2008r2.test

Actual results:
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$0878133d...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$0878133d.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin@TESTREAL.TEST', cookie: 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R;'
ipa: INFO: trying https://autohv01.testreal.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_52203344
ipa: DEBUG: raw: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
ipa: DEBUG: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
ipa: INFO: Forwarding 'trust_fetch_domains/1' to json server 'https://autohv01.testreal.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (autohv01.testreal.test)
ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R&expiry=1491208631328301;Max-Age=1800;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R;' for principal admin@TESTREAL.TEST
ipa: DEBUG: Destroyed connection context.rpcclient_52203344
ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication

2. /var/log/httpd/error_log
[Mon Apr 03 04:21:11.665932 2017] [:warn] [pid 31808] [client 2620:52:0:1322:5054:ff:fef8:fbe4:48266] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin@TESTREAL.TEST)!, referer: https://autohv01.testreal.test/ipa/xml
[Mon Apr 03 04:21:11.667158 2017] [:error] [pid 31804] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Mon Apr 03 04:21:11.667218 2017] [:error] [pid 31804] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Mon Apr 03 04:21:11.678497 2017] [:error] [pid 31804] ipa: DEBUG: Created connection context.ldap2_93915247484880
[Mon Apr 03 04:21:11.678547 2017] [:error] [pid 31804] ipa: DEBUG: WSGI jsonserver.__call__:
[Mon Apr 03 04:21:11.678578 2017] [:error] [pid 31804] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Mon Apr 03 04:21:11.683516 2017] [:error] [pid 31804] ipa: DEBUG: raw: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
[Mon Apr 03 04:21:11.683657 2017] [:error] [pid 31804] ipa: DEBUG: trust_fetch_domains(u'ipaad2008r2.test', rights=False, all=False, raw=False, version=u'2.224')
[Mon Apr 03 04:21:11.683920 2017] [:error] [pid 31804] ipa: DEBUG: raw: adtrust_is_enabled(version=u'2.224')
[Mon Apr 03 04:21:11.683988 2017] [:error] [pid 31804] ipa: DEBUG: adtrust_is_enabled(version=u'2.224')
[Mon Apr 03 04:21:11.686732 2017] [:error] [pid 31804] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTREAL-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x556a5ad20248>
[Mon Apr 03 04:21:11.923133 2017] [:error] [pid 31804] ipa: DEBUG: raw: trust_show(u'ipaad2008r2.test', all=True, raw=True, version=u'2.224')
[Mon Apr 03 04:21:11.923295 2017] [:error] [pid 31804] ipa: DEBUG: trust_show(u'ipaad2008r2.test', rights=False, all=True, raw=True, version=u'2.224')
[Mon Apr 03 04:21:12.159803 2017] [:error] [pid 31804] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Mon Apr 03 04:21:12.159830 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Mon Apr 03 04:21:12.159831 2017] [:error] [pid 31804]     result = command(*args, **options)
[Mon Apr 03 04:21:12.159832 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Mon Apr 03 04:21:12.159834 2017] [:error] [pid 31804]     return self.__do_call(*args, **options)
[Mon Apr 03 04:21:12.159836 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Mon Apr 03 04:21:12.159837 2017] [:error] [pid 31804]     ret = self.run(*args, **options)
[Mon Apr 03 04:21:12.159838 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Mon Apr 03 04:21:12.159839 2017] [:error] [pid 31804]     return self.execute(*args, **options)
[Mon Apr 03 04:21:12.159841 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1776, in execute
[Mon Apr 03 04:21:12.159842 2017] [:error] [pid 31804]     res = fetch_domains_from_trust(self.api, trustinstance, **options)
[Mon Apr 03 04:21:12.159844 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1661, in fetch_domains_from_trust
[Mon Apr 03 04:21:12.159845 2017] [:error] [pid 31804]     server=server)
[Mon Apr 03 04:21:12.159846 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1433, in fetch_domains
[Mon Apr 03 04:21:12.159847 2017] [:error] [pid 31804]     error=_('Missing credentials for '
[Mon Apr 03 04:21:12.159848 2017] [:error] [pid 31804] ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
[Mon Apr 03 04:21:12.159849 2017] [:error] [pid 31804] 
[Mon Apr 03 04:21:12.159995 2017] [:error] [pid 31804] ipa: INFO: [jsonserver_session] admin@TESTREAL.TEST: trust_fetch_domains/1(u'ipaad2008r2.test', version=u'2.224'): ValidationError
[Mon Apr 03 04:21:12.160750 2017] [:error] [pid 31804] ipa: DEBUG: Destroyed connection context.ldap2_93915247484880

Expected results: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication should be fixed.
Comment 3 Petr Vobornik 2017-04-03 07:05:59 EDT 
Do I get it right that the issue is that you got:

ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication

But expected:
ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication should be fixed.

And I'll assume that "should be fixed" was not part of the message.

Is it correct?
Comment 4 Sudhir Menon 2017-04-03 07:16:13 EDT 
Petr,
Sorry for the confusion here.

Actual Result:-
When "ipa trust-fetch-domains domainname" command is run below message is displayed on the console and httpd error log file.

===Console Output===
i.e "ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication"

===/var/log/httpd/error_log===
ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication

Expected Result:-
When the command is run, rather than the error message it should display proper output like below depending on whether there is new domain to be fetched or not.

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
New trust domains were found
-------------------------------
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
Comment 5 Alexander Bokovoy 2017-04-05 05:41:22 EDT 
Yes, we should stop special casing two-way trust and simply redirect all activities that require HTTP/.. principal's TGT to oddjobd helper.
Comment 6 Petr Vobornik 2017-04-11 08:17:51 EDT 
Upstream ticket:
https://pagure.io/freeipa/issue/6866
Comment 9 Sudhir Menon 2017-05-15 08:50:02 EDT 
Verified on RHEL7.4 using

ipa-server-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
sssd-1.15.2-29.el7.x86_64

[root@master ~]# ipa trust-add --two-way=true
Realm name: pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master ~]# ipa trustdomain-find pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-1608447083-2050507822-1235286152
  Domain enabled: True

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
[root@master ~]# ipa trustdomain-disable pne.qe chd.pne.qe
----------------------------------
Disabled trust domain "chd.pne.qe"
----------------------------------
[root@master ~]# ipa trust-fetch-domains pne.qe
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@master ~]# ipa trustdomain-find pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-1608447083-2050507822-1235286152
  Domain enabled: False

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
Comment 10 errata-xmlrpc 2017-08-01 05:47:49 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.