Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1438366

Summary: ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: abokovoy, ksiddiqu, pvoborni, rcritten, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:47:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2017-04-03 08:45:11 UTC 
Description of problem: ipa trust-fetch-domains command displays 'ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication'

Version-Release number of selected component (if applicable):
ipa-server-dns-4.5.0-4.el7.noarch
ipa-server-trust-ad-4.5.0-4.el7.x86_64
ipa-server-common-4.5.0-4.el7.noarch
ipa-server-4.5.0-4.el7.x86_64
samba-4.6.2-0.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Add trust
[root@autohv01 ~]# ipa trust-add --two-way=true

2. ipa trustdomain-find
[root@autohv01 ~]# ipa trustdomain-find ipaad2008r2.test
  Domain name: ipaad2008r2.test
  Domain NetBIOS name: IPAAD2008R2
  Domain Security Identifier: S-1-5-21-1765444267-4284514389-3232425237
  Domain enabled: True
 
  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

3.ipa trustdomain-disable ipaad2008r2.test ipasub2008r2-1.ipaad2008r2.test
-------------------------------------------------------
Disabled trust domain "ipasub2008r2-1.ipaad2008r2.test"
-------------------------------------------------------
  Domain name: ipasub2008r2-1.ipaad2008r2.test
  Domain NetBIOS name: IPASUB2008R2-1
  Domain Security Identifier: S-1-5-21-469193889-4273894478-2486872656
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------

4. [root@autohv01 ~]# ipa trust-fetch-domains ipaad2008r2.test

Actual results:
ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$0878133d...
ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$0878133d.plugins
ipa: DEBUG: importing all plugin modules in ipaclient.plugins...
ipa: DEBUG: importing plugin module ipaclient.plugins.automember
ipa: DEBUG: importing plugin module ipaclient.plugins.automount
ipa: DEBUG: importing plugin module ipaclient.plugins.ca
ipa: DEBUG: importing plugin module ipaclient.plugins.cert
ipa: DEBUG: importing plugin module ipaclient.plugins.certmap
ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipa: DEBUG: importing plugin module ipaclient.plugins.dns
ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipa: DEBUG: importing plugin module ipaclient.plugins.host
ipa: DEBUG: importing plugin module ipaclient.plugins.idrange
ipa: DEBUG: importing plugin module ipaclient.plugins.internal
ipa: DEBUG: importing plugin module ipaclient.plugins.location
ipa: DEBUG: importing plugin module ipaclient.plugins.migration
ipa: DEBUG: importing plugin module ipaclient.plugins.misc
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipaclient.plugins.passwd
ipa: DEBUG: importing plugin module ipaclient.plugins.permission
ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipa: DEBUG: importing plugin module ipaclient.plugins.server
ipa: DEBUG: importing plugin module ipaclient.plugins.service
ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipa: DEBUG: importing plugin module ipaclient.plugins.topology
ipa: DEBUG: importing plugin module ipaclient.plugins.trust
ipa: DEBUG: importing plugin module ipaclient.plugins.user
ipa: DEBUG: importing plugin module ipaclient.plugins.vault
ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R'
ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R;'
ipa: INFO: trying https://autohv01.testreal.test/ipa/session/json
ipa: DEBUG: Created connection context.rpcclient_52203344
ipa: DEBUG: raw: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
ipa: DEBUG: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
ipa: INFO: Forwarding 'trust_fetch_domains/1' to json server 'https://autohv01.testreal.test/ipa/session/json'
ipa: DEBUG: New HTTP connection (autohv01.testreal.test)
ipa: DEBUG: received Set-Cookie (<type 'list'>)'['ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R&expiry=1491208631328301;Max-Age=1800;path=/ipa;httponly;secure;']'
ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=huWt5qjTB%2flQu7qOjGPEo%2fosJ0WzT8%2fXqqAaAQ6dUazMmWHmWJZktarmh%2f%2b0JnFPzPgYW9gX5qLwemhl58DNFxi9HVqmvF5ivsfTpeWO2hKk1GnMoS4WOT2uUcyOBBOcRQjeti5Jj4YDDYOCB9K1XzobAgGlC2vyRaWXjl7d1izmTvuKdnv4YGjKMTIzzj4R;' for principal admin
ipa: DEBUG: Destroyed connection context.rpcclient_52203344
ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication

2. /var/log/httpd/error_log
[Mon Apr 03 04:21:11.665932 2017] [:warn] [pid 31808] [client 2620:52:0:1322:5054:ff:fef8:fbe4:48266] failed to set perms (3140) on file (/var/run/ipa/ccaches/admin)!, referer: https://autohv01.testreal.test/ipa/xml
[Mon Apr 03 04:21:11.667158 2017] [:error] [pid 31804] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Mon Apr 03 04:21:11.667218 2017] [:error] [pid 31804] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Mon Apr 03 04:21:11.678497 2017] [:error] [pid 31804] ipa: DEBUG: Created connection context.ldap2_93915247484880
[Mon Apr 03 04:21:11.678547 2017] [:error] [pid 31804] ipa: DEBUG: WSGI jsonserver.__call__:
[Mon Apr 03 04:21:11.678578 2017] [:error] [pid 31804] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Mon Apr 03 04:21:11.683516 2017] [:error] [pid 31804] ipa: DEBUG: raw: trust_fetch_domains(u'ipaad2008r2.test', version=u'2.224')
[Mon Apr 03 04:21:11.683657 2017] [:error] [pid 31804] ipa: DEBUG: trust_fetch_domains(u'ipaad2008r2.test', rights=False, all=False, raw=False, version=u'2.224')
[Mon Apr 03 04:21:11.683920 2017] [:error] [pid 31804] ipa: DEBUG: raw: adtrust_is_enabled(version=u'2.224')
[Mon Apr 03 04:21:11.683988 2017] [:error] [pid 31804] ipa: DEBUG: adtrust_is_enabled(version=u'2.224')
[Mon Apr 03 04:21:11.686732 2017] [:error] [pid 31804] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTREAL-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x556a5ad20248>
[Mon Apr 03 04:21:11.923133 2017] [:error] [pid 31804] ipa: DEBUG: raw: trust_show(u'ipaad2008r2.test', all=True, raw=True, version=u'2.224')
[Mon Apr 03 04:21:11.923295 2017] [:error] [pid 31804] ipa: DEBUG: trust_show(u'ipaad2008r2.test', rights=False, all=True, raw=True, version=u'2.224')
[Mon Apr 03 04:21:12.159803 2017] [:error] [pid 31804] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Mon Apr 03 04:21:12.159830 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Mon Apr 03 04:21:12.159831 2017] [:error] [pid 31804]     result = command(*args, **options)
[Mon Apr 03 04:21:12.159832 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Mon Apr 03 04:21:12.159834 2017] [:error] [pid 31804]     return self.__do_call(*args, **options)
[Mon Apr 03 04:21:12.159836 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Mon Apr 03 04:21:12.159837 2017] [:error] [pid 31804]     ret = self.run(*args, **options)
[Mon Apr 03 04:21:12.159838 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Mon Apr 03 04:21:12.159839 2017] [:error] [pid 31804]     return self.execute(*args, **options)
[Mon Apr 03 04:21:12.159841 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1776, in execute
[Mon Apr 03 04:21:12.159842 2017] [:error] [pid 31804]     res = fetch_domains_from_trust(self.api, trustinstance, **options)
[Mon Apr 03 04:21:12.159844 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 1661, in fetch_domains_from_trust
[Mon Apr 03 04:21:12.159845 2017] [:error] [pid 31804]     server=server)
[Mon Apr 03 04:21:12.159846 2017] [:error] [pid 31804]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1433, in fetch_domains
[Mon Apr 03 04:21:12.159847 2017] [:error] [pid 31804]     error=_('Missing credentials for '
[Mon Apr 03 04:21:12.159848 2017] [:error] [pid 31804] ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
[Mon Apr 03 04:21:12.159849 2017] [:error] [pid 31804] 
[Mon Apr 03 04:21:12.159995 2017] [:error] [pid 31804] ipa: INFO: [jsonserver_session] admin: trust_fetch_domains/1(u'ipaad2008r2.test', version=u'2.224'): ValidationError
[Mon Apr 03 04:21:12.160750 2017] [:error] [pid 31804] ipa: DEBUG: Destroyed connection context.ldap2_93915247484880

Expected results: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication should be fixed.
Comment 3 Petr Vobornik 2017-04-03 11:05:59 UTC 
Do I get it right that the issue is that you got:

ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication

But expected:
ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication should be fixed.

And I'll assume that "should be fixed" was not part of the message.

Is it correct?
Comment 4 Sudhir Menon 2017-04-03 11:16:13 UTC 
Petr,
Sorry for the confusion here.

Actual Result:-
When "ipa trust-fetch-domains domainname" command is run below message is displayed on the console and httpd error log file.

===Console Output===
i.e "ipa: ERROR: invalid 'Credentials': Missing credentials for cross-forest communication"

===/var/log/httpd/error_log===
ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication

Expected Result:-
When the command is run, rather than the error message it should display proper output like below depending on whether there is new domain to be fetched or not.

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
New trust domains were found
-------------------------------
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# ipa trust-fetch-domains ipaad2008r2.test
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
Comment 5 Alexander Bokovoy 2017-04-05 09:41:22 UTC 
Yes, we should stop special casing two-way trust and simply redirect all activities that require HTTP/.. principal's TGT to oddjobd helper.
Comment 6 Petr Vobornik 2017-04-11 12:17:51 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6866
Comment 7 Petr Vobornik 2017-04-11 12:25:37 UTC 
Should be fixed together with bug 1438348 use the commits bellow:

Fixed upstream
master:
https://pagure.io/freeipa/c/aef77b3529540ad12939a2cc54996c341c5d49d3
https://pagure.io/freeipa/c/e560899cce20ca7773a5ce46a1c29db1349e8ec7
ipa-4-5:
https://pagure.io/freeipa/c/bbb23fc87a51218960d54f9eccc23405c5c5ded6
https://pagure.io/freeipa/c/45e1998c51e281c8371ae31762016cb1ddec406f
Comment 9 Sudhir Menon 2017-05-15 12:50:02 UTC 
Verified on RHEL7.4 using

ipa-server-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
sssd-1.15.2-29.el7.x86_64

[root@master ~]# ipa trust-add --two-way=true
Realm name: pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master ~]# ipa trustdomain-find pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-1608447083-2050507822-1235286152
  Domain enabled: True

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
[root@master ~]# ipa trustdomain-disable pne.qe chd.pne.qe
----------------------------------
Disabled trust domain "chd.pne.qe"
----------------------------------
[root@master ~]# ipa trust-fetch-domains pne.qe
----------------------------------------------------------------------------------------
List of trust domains successfully refreshed. Use trustdomain-find command to list them.
----------------------------------------------------------------------------------------
----------------------------
Number of entries returned 0
----------------------------
[root@master ~]# ipa trustdomain-find pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-1608447083-2050507822-1235286152
  Domain enabled: False

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
Comment 10 errata-xmlrpc 2017-08-01 09:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304