Bug 1753371
| Summary: | Names of domains from a trusted forest should be compared case-insentive | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sumit Bose <sbose> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED MIGRATED | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.4 | CC: | frenaud, pasik, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-18 17:57:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since it's DNS and the scope of DNS names is limited, a comparison of lower() variant is sufficient. It would be better to use dns.name.Name objects instead of raw strings as they know how to compare DNS names properly. This issue does not seem to happen any more. I configured an AD DC with name aD.test, then added the trust using # ipa trust-add --type=ad ad.test --admin Administrator --password --two-way true and checked the trustdomains with # ipa trustdomain-find ad.test Domain name: aD.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2256093702-2536795054-3866081203 Domain enabled: True Only one occurrence is returned, preserving the original mixed case. The debug logs show that netr_DsRGetForestTrustInformation returns the name keeping the original case. @sbose are there some config steps I am missing in order to reproduce the issue? I am using our idm-ci playbook prep/win-domain-setup.yaml which calls Install-ADDSForest -DomainName aD.test ... on a host named root-dc.aD.test. (In reply to Florence Blanc-Renaud from comment #5) > This issue does not seem to happen any more. I configured an AD DC with name > aD.test, then added the trust using > # ipa trust-add --type=ad ad.test --admin Administrator --password > --two-way true > > and checked the trustdomains with > # ipa trustdomain-find ad.test > Domain name: aD.test > Domain NetBIOS name: AD > Domain Security Identifier: S-1-5-21-2256093702-2536795054-3866081203 > Domain enabled: True > > Only one occurrence is returned, preserving the original mixed case. > > The debug logs show that netr_DsRGetForestTrustInformation returns the name > keeping the original case. > > @sbose are there some config steps I am missing in order to > reproduce the issue? I am using our idm-ci playbook > prep/win-domain-setup.yaml which calls Install-ADDSForest -DomainName > aD.test ... on a host named root-dc.aD.test. Hi, no, the steps are looking good. I guess netr_DsRGetForestTrustInformation() has changed behavior and now returns the original name instead the lower-cased version. But the behavior might change again in future. So I think it would help to make the code more robust to have a case-insensitive comparison. bye, Sumit Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: If the AD forest root has a mix case name the this is preserved for the trust object. It looks like netr_DsRGetForestTrustInformation returns this name in all lower case, which is ok since DNS names are case-insensitive. Unfortunately there is a case-sensitive comparison in fetch_domains(): for t in domains.entries: if t.type == lsa.LSA_FOREST_TRUST_DOMAIN_INFO: tname = unicode(t.forest_trust_data.dns_domain_name.string) if tname == trustdomain: <<<<<<<<<<<<<<<<<<<<<<<<<< continue result['domains'][tname] = { 'cn': tname, 'ipantflatname': unicode( t.forest_trust_data.netbios_domain_name.string), 'ipanttrusteddomainsid': unicode( t.forest_trust_data.domain_sid) } elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: tname = unicode(t.forest_trust_data.string) if tname == trustdomain: and as a result the forest root is added a second time as forest member which casuse all kind of unexpected behavior.