Description of problem: If the AD forest root has a mix case name the this is preserved for the trust object. It looks like netr_DsRGetForestTrustInformation returns this name in all lower case, which is ok since DNS names are case-insensitive. Unfortunately there is a case-sensitive comparison in fetch_domains(): for t in domains.entries: if t.type == lsa.LSA_FOREST_TRUST_DOMAIN_INFO: tname = unicode(t.forest_trust_data.dns_domain_name.string) if tname == trustdomain: <<<<<<<<<<<<<<<<<<<<<<<<<< continue result['domains'][tname] = { 'cn': tname, 'ipantflatname': unicode( t.forest_trust_data.netbios_domain_name.string), 'ipanttrusteddomainsid': unicode( t.forest_trust_data.domain_sid) } elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: tname = unicode(t.forest_trust_data.string) if tname == trustdomain: and as a result the forest root is added a second time as forest member which casuse all kind of unexpected behavior.
Since it's DNS and the scope of DNS names is limited, a comparison of lower() variant is sufficient. It would be better to use dns.name.Name objects instead of raw strings as they know how to compare DNS names properly.
This issue does not seem to happen any more. I configured an AD DC with name aD.test, then added the trust using # ipa trust-add --type=ad ad.test --admin Administrator --password --two-way true and checked the trustdomains with # ipa trustdomain-find ad.test Domain name: aD.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2256093702-2536795054-3866081203 Domain enabled: True Only one occurrence is returned, preserving the original mixed case. The debug logs show that netr_DsRGetForestTrustInformation returns the name keeping the original case. @sbose are there some config steps I am missing in order to reproduce the issue? I am using our idm-ci playbook prep/win-domain-setup.yaml which calls Install-ADDSForest -DomainName aD.test ... on a host named root-dc.aD.test.
(In reply to Florence Blanc-Renaud from comment #5) > This issue does not seem to happen any more. I configured an AD DC with name > aD.test, then added the trust using > # ipa trust-add --type=ad ad.test --admin Administrator --password > --two-way true > > and checked the trustdomains with > # ipa trustdomain-find ad.test > Domain name: aD.test > Domain NetBIOS name: AD > Domain Security Identifier: S-1-5-21-2256093702-2536795054-3866081203 > Domain enabled: True > > Only one occurrence is returned, preserving the original mixed case. > > The debug logs show that netr_DsRGetForestTrustInformation returns the name > keeping the original case. > > @sbose are there some config steps I am missing in order to > reproduce the issue? I am using our idm-ci playbook > prep/win-domain-setup.yaml which calls Install-ADDSForest -DomainName > aD.test ... on a host named root-dc.aD.test. Hi, no, the steps are looking good. I guess netr_DsRGetForestTrustInformation() has changed behavior and now returns the original name instead the lower-cased version. But the behavior might change again in future. So I think it would help to make the code more robust to have a case-insensitive comparison. bye, Sumit