1757064 – IPA upgrade fails for latest ipa package when adtrust is installed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1757064 - IPA upgrade fails for latest ipa package when adtrust is installed

Summary: IPA upgrade fails for latest ipa package when adtrust is installed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1773516 1773550
TreeView+	depends on / blocked

Reported:	2019-09-30 13:48 UTC by Nikhil Dehadrai
Modified:	2023-03-24 15:36 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1773516 1773550 (view as bug list)
Environment:
Last Closed:	2020-04-28 15:43:29 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9603	None	None	None	2023-03-24 15:36:16 UTC
Red Hat Issue Tracker	RHELPLAN-29764	None	None	None	2023-03-24 15:36:15 UTC
Red Hat Product Errata	RHEA-2020:1640	None	None	None	2020-04-28 15:43:59 UTC

Description Nikhil Dehadrai 2019-09-30 13:48:42 UTC

Description of problem:
IPA upgrade fails for latest ipa package when adtrust is installed

Version-Release number of selected component (if applicable):
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server at version RHEL8.0
2. Setup trust on this machine
(in my case)
# ipa-adtrust-install --netbios-name=ND30SEP -a Secret123 -U
# ipa dnsforwardzone-add ipaad2k16cin.test --forwarder=10.0.144.176 --forward-policy=only
# echo Secret123 | ipa trust-add ipaad2k16cin.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True
3. Setup repo for RHEL8.1
4. Run ipa-upgrade on this machine 'yum -y update'
5. Run ipactl restart
6. Check Kinit command

Actual results:
1. After step 4, ipa-upgrade process FAILS
2. After step5,  ipactl restart is successful
3. Kinit command is successful

[root@vm-idm-014 ~]# rpm -q ipa-server
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
[root@vm-idm-014 ~]# tail -1 /var/log/ipaupgrade.log 
2019-09-30T12:51:55Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@vm-idm-014 ~]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful
[root@vm-idm-014 ~]# ipactl restart
IPA version error: data needs to be upgraded (expected version '4.8.0-11.module+el8.1.0+4247+9f3fd721', current version '4.7.1-11.module+el8+2842+7481110c')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@vm-idm-014 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@vm-idm-014 ~]# kinit admin
Password for admin: 
[root@vm-idm-014 ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin
  UID: 645600000
  GID: 645600000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@vm-idm-014 ~]#

Expected results:
ipaupgrade should be successful

Additional info:
When adtrust is not installed on the Master, then ipaupgrade is successful

Upgrade without adtrust installed
[root@ipaqavmd ~]# tail -1 /var/log/ipaupgrade.log 
2019-09-30T12:30:51Z INFO The ipa-server-upgrade command was successful
[root@ipaqavmd ~]# rpm -q ipa-server
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
[root@ipaqavmd ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ipaqavmd ~]#

Comment 2 Nikhil Dehadrai 2019-09-30 13:54:07 UTC

Workaround / observation: Run ipactl restart after the ipupgrade process completes

Comment 4 Rob Crittenden 2019-09-30 14:08:51 UTC

Can you clarify step 4? It seems to me that should be two steps at least and the order is unclear. Are you running ipa-server-upgrade and then yum (!?) update or the reverse (or is the ipa-server-upgrade expected to be implicit)?

If the version was increased then ipactl will re-run the upgrade.

Comment 5 Nikhil Dehadrai 2019-10-01 03:39:44 UTC

Hi Rob, 
I am running only 'yum -y update' and then the command 'ipa-server-upgrade' post 'yum update'.

# yum -y update
# Upgrade FAILS
# Restart ipactl restart
# ipa-server-upgrade is successful

[root@vm-idm-014 ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Migrating to authselect profile]
Already migrated to authselect profile
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup SPAKE]
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful

Comment 6 Rob Crittenden 2019-10-03 20:36:43 UTC

2019-09-30T12:51:52Z DEBUG Default Trust View already present on this server
2019-09-30T12:51:52Z DEBUG Executing upgrade plugin: update_tdo_gidnumber
2019-09-30T12:51:52Z DEBUG raw: update_tdo_gidnumber
2019-09-30T12:51:52Z DEBUG raw: adtrust_is_enabled(version='2.233')
2019-09-30T12:51:52Z DEBUG adtrust_is_enabled(version='2.233')
2019-09-30T12:51:52Z DEBUG Executing upgrade plugin: update_tdo_to_new_layout
2019-09-30T12:51:52Z DEBUG raw: update_tdo_to_new_layout
2019-09-30T12:51:52Z DEBUG raw: adtrust_is_enabled(version='2.233')
2019-09-30T12:51:52Z DEBUG adtrust_is_enabled(version='2.233')
2019-09-30T12:51:52Z DEBUG raw: trustconfig_show(version='2.233')
2019-09-30T12:51:52Z DEBUG trustconfig_show(rights=False, trust_type='ad', all=False, raw=False, version='2.233')
2019-09-30T12:51:52Z DEBUG Processing trust domain object cn=ipaad2k16cin.test,cn=ad,cn=trusts,dc=nd30sep,dc=ndpne
2019-09-30T12:51:52Z DEBUG Destroyed connection context.ldap2_139745159013544
2019-09-30T12:51:52Z ERROR Upgrade failed with name 'drsblobs' is not defined
2019-09-30T12:51:52Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py", line 276, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ldapupdate.py", line 965, in update
    self._run_updates(all_updates)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ldapupdate.py", line 926, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ldapupdate.py", line 901, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 1480, in __call__
    return self.execute(**options)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/plugins/adtrust.py", line 667, in execute
    ndr_unpack(drsblobs.trustAuthInOutBlob,
NameError: name 'drsblobs' is not defined

Comment 7 Rob Crittenden 2019-10-03 20:40:46 UTC

Cloned to https://pagure.io/freeipa/issue/8085

Comment 9 Alexander Bokovoy 2019-11-17 18:10:14 UTC

Upstream PR: https://github.com/freeipa/freeipa/pull/3910

Comment 12 Florence Blanc-Renaud 2019-11-21 09:50:30 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/ba466a802129cbe61964653fdfddacd5d43f6771

ipa-4-8:
https://pagure.io/freeipa/c/18540386230e295087296e58761ced2b781ae4e3

ipa-4-7:
https://pagure.io/freeipa/c/2f8f257d9a9c076bf1a2d28aee06fbac0532aa72

ipa-4-6:
https://pagure.io/freeipa/c/fa23f5a13a326b4cedf6705be7d14da8bc813763

Comment 14 Nikhil Dehadrai 2020-01-09 10:57:24 UTC

ipa-server version: ipa-server-4.8.4-2.module+el8.2.0+5265+c70de5c4.x86_64


Verified the bug on the basis of following observations:
1) Setup IPA server at RHEL8.1.0z with trust installed.

[ci-vm-10-0-155-4.hos] :: [ 04:35:38 ] :: [  BEGIN   ] :: Running ' /usr/sbin/ipa-server-install --setup-dns  --auto-forwarders --reverse-zone=155.0.10.in-addr.arpa. --allow-zone-overlap --hostname=ci-vm-10-0-155-4.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 --ip-address=10.0.155.4 -U'


[ci-vm-10-0-155-4.hos] :: [ 04:40:46 ] :: [   PASS   ] :: Command ' /usr/sbin/ipa-server-install --setup-dns  --auto-forwarders --reverse-zone=155.0.10.in-addr.arpa. --allow-zone-overlap --hostname=ci-vm-10-0-155-4.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 --ip-address=10.0.155.4 -U' (Expected 0, got 0)


[ci-vm-10-0-155-4.hos] :: [ 05:21:00 ] :: [  BEGIN   ] :: Running 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd-ipa'
[ci-vm-10-0-155-4.hos] ipa-server-4.8.0-13.module+el8.1.0+4923+c6efe041.x86_64
[ci-vm-10-0-155-4.hos] 389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f.x86_64
[ci-vm-10-0-155-4.hos] bind-9.11.4-26.P2.el8.x86_64
[ci-vm-10-0-155-4.hos] bind-dyndb-ldap-11.1-14.module+el8.1.0+4098+f286395e.x86_64
[ci-vm-10-0-155-4.hos] pki-ca-10.7.3-1.module+el8.1.0+3964+500fc130.noarch
[ci-vm-10-0-155-4.hos] sssd-ipa-2.2.0-19.el8.x86_64
[ci-vm-10-0-155-4.hos] :: [ 05:21:00 ] :: [   PASS   ] :: Command 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd-ipa' (Expected 0, got 0)

[ci-vm-10-0-155-4.hos] :: [ 05:00:52 ] :: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add ipaad2k16cin.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True'
[ci-vm-10-0-154-5.hos] *** Current Time: Thu Jan 09 05:00:53 2020  Localwatchdog at: Fri Jan 10 04:03:52 2020
[ci-vm-10-0-155-4.hos] *** Current Time: Thu Jan 09 05:00:54 2020  Localwatchdog at: Fri Jan 10 04:03:54 2020
[ci-vm-10-0-155-4.hos] ----------------------------------------------------------
[ci-vm-10-0-155-4.hos] Added Active Directory trust for realm "ipaad2k16cin.test"
[ci-vm-10-0-155-4.hos] ----------------------------------------------------------
[ci-vm-10-0-155-4.hos]   Realm name: ipaad2k16cin.test
[ci-vm-10-0-155-4.hos]   Domain NetBIOS name: IPAAD2K16CIN
[ci-vm-10-0-155-4.hos]   Domain Security Identifier: S-1-5-21-2842256260-195550463-1751006347
[ci-vm-10-0-155-4.hos]   Trust direction: Two-way trust
[ci-vm-10-0-155-4.hos]   Trust type: Active Directory domain
[ci-vm-10-0-155-4.hos]   Trust status: Established and verified
[ci-vm-10-0-155-4.hos] :: [ 05:00:54 ] :: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add ipaad2k16cin.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:00:54 ] :: [  BEGIN   ] :: Running 'systemctl stop sssd'
[ci-vm-10-0-155-4.hos] :: [ 05:00:54 ] :: [   PASS   ] :: Command 'systemctl stop sssd' (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:00:54 ] :: [  BEGIN   ] :: Running 'rm -frv /var/lib/sss/{db,mc}/*'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/cache_implicit_files.ldb'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/cache_testrelm.test.ldb'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/ccache_TESTRELM.TEST'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/config.ldb'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/sssd.ldb'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/timestamps_implicit_files.ldb'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/db/timestamps_testrelm.test.ldb'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/mc/group'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/mc/initgroups'
[ci-vm-10-0-155-4.hos] removed '/var/lib/sss/mc/passwd'
[ci-vm-10-0-155-4.hos] :: [ 05:00:54 ] :: [   PASS   ] :: Command 'rm -frv /var/lib/sss/{db,mc}/*' (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:00:54 ] :: [  BEGIN   ] :: Running 'systemctl start sssd'
[ci-vm-10-0-155-4.hos] :: [ 05:00:55 ] :: [   PASS   ] :: Command 'systemctl start sssd' (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:00:55 ] :: [  BEGIN   ] :: Running 'ipa trust-find ipaad2k16cin.test'
[ci-vm-10-0-155-12.ho] *** Current Time: Thu Jan 09 05:00:54 2020  Localwatchdog at: Fri Jan 10 04:03:54 2020
[ci-vm-10-0-155-4.hos] ---------------
[ci-vm-10-0-155-4.hos] 1 trust matched
[ci-vm-10-0-155-4.hos] ---------------
[ci-vm-10-0-155-4.hos]   Realm name: ipaad2k16cin.test
[ci-vm-10-0-155-4.hos]   Domain NetBIOS name: IPAAD2K16CIN
[ci-vm-10-0-155-4.hos]   Domain Security Identifier: S-1-5-21-2842256260-195550463-1751006347
[ci-vm-10-0-155-4.hos]   Trust type: Active Directory domain
[ci-vm-10-0-155-4.hos]   UPN suffixes: tomupn14.in, upn2016.in, testupnsuffix.test, testupnsuffix
[ci-vm-10-0-155-4.hos] ----------------------------
[ci-vm-10-0-155-4.hos] Number of entries returned 1
[ci-vm-10-0-155-4.hos] ----------------------------
[ci-vm-10-0-155-4.hos] :: [ 05:00:56 ] :: [   PASS   ] :: Command 'ipa trust-find ipaad2k16cin.test' (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:06:56 ] :: [  BEGIN   ] :: Running 'id administrator'
[ci-vm-10-0-155-4.hos] uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners)
[ci-vm-10-0-155-4.hos] :: [ 05:06:56 ] :: [   PASS   ] :: Command 'id administrator' (Expected 0, got 0)




2) Upgrade the IPA server to RHEL 8.2.0

[ci-vm-10-0-155-4.hos] :: [ 05:21:16 ] :: [  BEGIN   ] :: Initiating upgrade Process :: actually running 'yum -y update'
.
.
.
[ci-vm-10-0-155-4.hos] :: [ 05:30:49 ] :: [   PASS   ] :: Initiating upgrade Process (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:30:49 ] :: [  BEGIN   ] :: Running 'tail -1 /var/log/ipaupgrade.log | grep 'The ipa-server-upgrade command was successful''
[ci-vm-10-0-155-4.hos] 2020-01-09T10:28:27Z INFO The ipa-server-upgrade command was successful
[ci-vm-10-0-155-4.hos] :: [ 05:30:49 ] :: [   PASS   ] :: Command 'tail -1 /var/log/ipaupgrade.log | grep 'The ipa-server-upgrade command was successful'' (Expected 0, got 0)

[ci-vm-10-0-155-4.hos] :: [ 05:33:31 ] :: [  BEGIN   ] :: Running 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd-ipa'
[ci-vm-10-0-155-4.hos] ipa-server-4.8.4-2.module+el8.2.0+5265+c70de5c4.x86_64
[ci-vm-10-0-155-4.hos] 389-ds-base-1.4.2.4-4.module+el8.2.0+4930+d4051b3a.x86_64
[ci-vm-10-0-155-4.hos] bind-9.11.13-1.el8.x86_64
[ci-vm-10-0-155-4.hos] bind-dyndb-ldap-11.2-3.module+el8.2.0+4921+923e30d5.x86_64
[ci-vm-10-0-155-4.hos] pki-ca-10.8.0-0.4.module+el8.2.0+5228+a2bc7b32.noarch
[ci-vm-10-0-155-4.hos] sssd-ipa-2.2.3-6.el8.x86_64
[ci-vm-10-0-155-4.hos] :: [ 05:33:31 ] :: [   PASS   ] :: Command 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd-ipa' (Expected 0, got 0)

3) Validate trust after upgrade using id command
[ci-vm-10-0-155-4.hos] :: [ 05:41:35 ] :: [  BEGIN   ] :: Running 'ipa trust-find ipaad2k16cin.test'
[ci-vm-10-0-155-4.hos] ---------------
[ci-vm-10-0-155-4.hos] 1 trust matched
[ci-vm-10-0-155-4.hos] ---------------
[ci-vm-10-0-155-4.hos]   Realm name: ipaad2k16cin.test
[ci-vm-10-0-155-4.hos]   Domain NetBIOS name: IPAAD2K16CIN
[ci-vm-10-0-155-4.hos]   Domain Security Identifier: S-1-5-21-2842256260-195550463-1751006347
[ci-vm-10-0-155-4.hos]   Trust type: Active Directory domain
[ci-vm-10-0-155-4.hos]   UPN suffixes: tomupn14.in, upn2016.in, testupnsuffix.test, testupnsuffix
[ci-vm-10-0-155-4.hos] ----------------------------
[ci-vm-10-0-155-4.hos] Number of entries returned 1
[ci-vm-10-0-155-4.hos] ----------------------------
[ci-vm-10-0-155-4.hos] :: [ 05:41:36 ] :: [   PASS   ] :: Command 'ipa trust-find ipaad2k16cin.test' (Expected 0, got 0)
[ci-vm-10-0-155-4.hos] :: [ 05:41:36 ] :: [  BEGIN   ] :: Running 'id administrator'
[ci-vm-10-0-155-4.hos] uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners)
[ci-vm-10-0-155-4.hos] :: [ 05:41:36 ] :: [   PASS   ] :: Command 'id administrator' (Expected 0, got 0)


Thus on the basis of above observations marking the status of bug to "VERIFIED"

Comment 16 errata-xmlrpc 2020-04-28 15:43:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640

Note You need to log in before you can comment on or make changes to this bug.