1664023 – ipa trust-add fails with ipa: ERROR: an internal error has occurred

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1664023 - ipa trust-add fails with ipa: ERROR: an internal error has occurred

Summary: ipa trust-add fails with ipa: ERROR: an internal error has occurred

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-07 14:32 UTC by Varun Mylaraiah
Modified:	2019-06-14 01:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-14 01:25:55 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/var/log/httpd/error_log (121.93 KB, text/plain) 2019-01-07 14:32 UTC, Varun Mylaraiah	no flags	Details
View All

Description Varun Mylaraiah 2019-01-07 14:32:17 UTC

Created attachment 1519026 [details]
/var/log/httpd/error_log

Description of problem:
ipa trust-add fails with ipa: ERROR: an internal error has occurred

Version-Release number of selected component (if applicable):
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64
ipa-server-trust-ad-4.7.1-7.module+el8+2555+b334d87b.x86_64


How reproducible:
100%

Steps to Reproduce:
1.Install IPA server and establish trust with AD
2.ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True
3.ipa dnszone-add example.test --name-server=<hostname> --admin-email=hostmaster
4.ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True

Actual results:
ipa: ERROR: an internal error has occurred

Expected results:
ipa trust-add should be successful

Additional info:
Attached error_log with log level = 50' to /usr/share/ipa/smb.conf.empty

Discussion with Dev:
Alexander Bokovoy: "So we got back entry with LSA_FOREST_TRUST_DOMAIN_INFO and need to adapt to that. Should be simple"

Console Output:
[root@kvm-04-guest10 ~]# echo <xxxxxx> | ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True
-------------------------------------------------------
Added Active Directory trust for realm "ipaad2016.test"
-------------------------------------------------------
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# 
[root@kvm-04-guest10 ~]# ipa dnszone-add example.test --name-server=kvm-04-guest10.realmmv073.test. --admin-email=hostmaster
ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute.
NS record(s) can be edited in zone apex - '@'. 
  Zone name: example.test.
  Active zone: TRUE
  Authoritative nameserver: kvm-04-guest10.realmmv073.test.
  Administrator e-mail address: hostmaster.example.test
  SOA serial: 1546866033
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant REALMMV073.TEST krb5-self * A; grant REALMMV073.TEST krb5-self * AAAA; grant
                      REALMMV073.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@kvm-04-guest10 ~]# echo <xxxxxx> | ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True
ipa: ERROR: an internal error has occurred

Comment 1 Alexander Bokovoy 2019-01-08 06:28:01 UTC

There is a conflicting TLN (example.test) so we need to create an exclusion entry for example.test (us) at the remote forest (realmv071.test). We request the forest's topology and try to process it. However, when processing the entries in the topology we assumed they are of a particular type while this one shows more than one type of entries:

     lsa_lsaRQueryForestTrustInformation: struct lsa_lsaRQueryForestTrustInformation
        out: struct lsa_lsaRQueryForestTrustInformation
            forest_trust_info        : *
                forest_trust_info        : *
                    forest_trust_info: struct lsa_ForestTrustInformation
                        count                    : 0x00000003 (3)
                        entries                  : *
                            entries: ARRAY(3)
                                entries                  : *
                                    entries: struct lsa_ForestTrustRecord
                                        flags                    : 0x00000000 (0)
                                               0: LSA_TLN_DISABLED_NEW     
                                               0: LSA_TLN_DISABLED_ADMIN   
                                               0: LSA_TLN_DISABLED_CONFLICT
                                               0: LSA_SID_DISABLED_ADMIN   
                                               0: LSA_SID_DISABLED_CONFLICT
                                               0: LSA_NB_DISABLED_ADMIN    
                                               0: LSA_NB_DISABLED_CONFLICT 
                                        type                     : LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
                                        time                     : Mon Jan  7 02:14:30 2019 EST
                                        forest_trust_data        : union lsa_ForestTrustData(case 0)
                                        top_level_name: struct lsa_StringLarge
                                            length                   : 0x001e (30)
                                            size                     : 0x0020 (32)
                                            string                   : *
                                                string                   : 'realmmv071.test'
                                entries                  : *
                                    entries: struct lsa_ForestTrustRecord
                                        flags                    : 0x00000000 (0)
                                               0: LSA_TLN_DISABLED_NEW     
                                               0: LSA_TLN_DISABLED_ADMIN   
                                               0: LSA_TLN_DISABLED_CONFLICT
                                               0: LSA_SID_DISABLED_ADMIN   
                                               0: LSA_SID_DISABLED_CONFLICT
                                               0: LSA_NB_DISABLED_ADMIN    
                                               0: LSA_NB_DISABLED_CONFLICT 
                                        type                     : LSA_FOREST_TRUST_TOP_LEVEL_NAME (0)
                                        time                     : Mon Jan  7 02:14:30 2019 EST
                                        forest_trust_data        : union lsa_ForestTrustData(case 0)
                                        top_level_name: struct lsa_StringLarge
                                            length                   : 0x0018 (24)
                                            size                     : 0x001a (26)
                                            string                   : *
                                                string                   : 'example.test'
                                entries                  : *
                                    entries: struct lsa_ForestTrustRecord
                                        flags                    : 0x00000000 (0)
                                               0: LSA_TLN_DISABLED_NEW     
                                               0: LSA_TLN_DISABLED_ADMIN   
                                               0: LSA_TLN_DISABLED_CONFLICT
                                               0: LSA_SID_DISABLED_ADMIN   
                                               0: LSA_SID_DISABLED_CONFLICT
                                               0: LSA_NB_DISABLED_ADMIN    
                                               0: LSA_NB_DISABLED_CONFLICT 
                                        type                     : LSA_FOREST_TRUST_DOMAIN_INFO (2)
                                        time                     : Mon Jan  7 03:19:00 2019 EST
                                        forest_trust_data        : union lsa_ForestTrustData(case 2)
                                        domain_info: struct lsa_ForestTrustDomainInfo
                                            domain_sid               : *
                                                domain_sid               : S-1-5-21-3770167905-2907243591-2927179109
                                            dns_domain_name: struct lsa_StringLarge
                                                length                   : 0x001e (30)
                                                size                     : 0x0020 (32)
                                                string                   : *
                                                    string                   : 'realmmv071.test'
                                            netbios_domain_name: struct lsa_StringLarge
                                                length                   : 0x0014 (20)
                                                size                     : 0x0016 (22)
                                                string                   : *
                                                    string                   : 'REALMMV071'
            result                   : NT_STATUS_OK

As result, we attempt to address realmmv071.test's entry as 'forest_trust_data.string' which it should be 'forest_trust_data.dns_domain_name.string'.

Comment 5 Alexander Bokovoy 2019-01-08 07:13:46 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7828

Comment 6 Christian Heimes 2019-01-10 10:24:49 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/3c38aea6fc71fe55b73869f9692d590b9d528935
https://pagure.io/freeipa/c/2aa24eedf2443367272fe2e41bb9dcf508533a18

Comment 8 Christian Heimes 2019-01-11 15:55:44 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/e5471e66c6a718ffa28433813b8a8d7896b16d9e
https://pagure.io/freeipa/c/736d2e00d2751e6851e5613dabe8b3f96fb74c92

Comment 9 Christian Heimes 2019-01-14 08:33:45 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/d946d0ddd4aab65b33656f7799db009cc7020bb9

Comment 12 Varun Mylaraiah 2019-01-23 14:08:01 UTC

Verified.

ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64
ipa-server-trust-ad-4.7.1-10.module+el8+2699+aa606a46.x86_64

[root@vm-idm-016 ~]# echo <XXXXXXX> | ipa trust-add ipaad2016.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True
-----------------------------------------------
Re-established trust to domain "ipaad2016.test"
-----------------------------------------------
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


[root@vm-idm-016 ~]# ipa dnszone-add example.test --name-server=vm-idm-016.testuser2301.test. --admin-email=hostmaster
ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute.
NS record(s) can be edited in zone apex - '@'. 
  Zone name: example.test.
  Active zone: TRUE
  Authoritative nameserver: vm-idm-016.testuser2301.test.
  Administrator e-mail address: hostmaster.example.test
  SOA serial: 1548247167
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTUSER2301.TEST krb5-self * A; grant TESTUSER2301.TEST krb5-self * AAAA; grant
                      TESTUSER2301.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;


[root@vm-idm-016 ~]# echo <XXXXXXX> | ipa trust-add ipaad2016.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True
ipa: ERROR: Forest 'ipaad2016.test' has existing trust to forest(s) ['testrelmf261.test'] which prevents a trust to 'testuser2301.test'



-Now seeing the proper error message instead of "ipa: ERROR: an internal error has occurred".
-From AD(ipaad2016.test) point of view "example.test" is already owned by "testrelmf261.test."



Based on the above observation, marking the bug VERIFIED

================
Additional info:
================
/var/log/httpd/error_log

[Wed Jan 23 18:09:37.941424 2019] [:warn] [pid 10559:tid 140267306800896] [client 10.65.206.150:45942] failed to set perms (3140) on file (/run/ipa/ccaches/admin)!, referer: https://vm-idm-016.testuser2301.test/ipa/xml
[Wed Jan 23 18:09:44.267755 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: ERROR: When setting forest trust information, got collision info back:
[Wed Jan 23 18:09:44.267936 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]     lsa_ForestTrustCollisionInfo: struct lsa_ForestTrustCollisionInfo
[Wed Jan 23 18:09:44.267991 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]         count                    : 0x00000001 (1)
[Wed Jan 23 18:09:44.268016 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]         entries                  : *
[Wed Jan 23 18:09:44.268041 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]             entries: ARRAY(1)
[Wed Jan 23 18:09:44.268064 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                 entries                  : *
[Wed Jan 23 18:09:44.268086 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                     entries: struct lsa_ForestTrustCollisionRecord
[Wed Jan 23 18:09:44.268109 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                         index                    : 0x00000001 (1)
[Wed Jan 23 18:09:44.268130 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                         type                     : LSA_FOREST_TRUST_COLLISION_TDO (0)
[Wed Jan 23 18:09:44.268145 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                         flags                    : 0x00000004 (4)
[Wed Jan 23 18:09:44.268159 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                0: LSA_TLN_DISABLED_NEW
[Wed Jan 23 18:09:44.268173 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                0: LSA_TLN_DISABLED_ADMIN
[Wed Jan 23 18:09:44.268187 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                1: LSA_TLN_DISABLED_CONFLICT
[Wed Jan 23 18:09:44.268201 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                0: LSA_SID_DISABLED_ADMIN
[Wed Jan 23 18:09:44.268214 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                0: LSA_SID_DISABLED_CONFLICT
[Wed Jan 23 18:09:44.268228 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                1: LSA_NB_DISABLED_ADMIN
[Wed Jan 23 18:09:44.268242 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                0: LSA_NB_DISABLED_CONFLICT
[Wed Jan 23 18:09:44.268256 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                         name: struct lsa_String
[Wed Jan 23 18:09:44.268270 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                             length                   : 0x0022 (34)
[Wed Jan 23 18:09:44.268283 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                             size                     : 0x0024 (36)
[Wed Jan 23 18:09:44.268297 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                             string                   : *
[Wed Jan 23 18:09:44.268311 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]                                 string                   : 'testrelmf261.test'
[Wed Jan 23 18:09:44.268365 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942]
[Wed Jan 23 18:09:44.268620 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: ERROR: Attempt to solve forest trust topology conflicts
[Wed Jan 23 18:09:44.744863 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: ERROR: Unable to resolve conflict for DNS domain testuser2301.test in the forest ipaad2016.test for in-forest domain testrelmf261.test. Trust cannot be established unless this conflict is fixed manually.
[Wed Jan 23 18:09:44.745958 2019] [wsgi:error] [pid 8321:tid 140267492972288] [remote 10.65.206.150:45942] ipa: INFO: [jsonserver_session] admin: trust_add/1('ipaad2016.test', realm_admin='Administrator', realm_passwd='********', range_type='ipa-ad-trust', bidirectional=True, version='2.230'): TrustTopologyConflictError
[Wed Jan 23 19:05:36.981095 2019] [:warn] [pid 10559:tid 140267399120640] [client 10.65.206.150:45986] failed to set perms (3140) on file (/run/ipa/ccaches/admin)!, referer: https://vm-idm-016.testuser2301.test/ipa/xml
INFO: Current debug levels:
  all: 50
  tdb: 50
  printdrivers: 50

Note You need to log in before you can comment on or make changes to this bug.