RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1817919 - Enable compat tree to provide information about AD users and groups on trust agents
Summary: Enable compat tree to provide information about AD users and groups on trust ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1585020
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-27 08:48 UTC by Florence Blanc-Renaud
Modified: 2020-09-29 20:00 UTC (History)
14 users (show)

Fixed In Version: ipa-4.6.8-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1585020
Environment:
Last Closed: 2020-09-29 19:59:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
failed_test_test_add_agent_on_stopped_replica.txt (13.51 KB, text/plain)
2020-06-02 11:15 UTC, Sergey Orlov 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3936 0 None None None 2020-09-29 20:00:16 UTC

Description Florence Blanc-Renaud 2020-03-27 08:48:00 UTC 
+++ This bug was initially created as a clone of Bug #1585020 +++

RHEL IdM has an option to enable serving information about AD users and groups in the compatibility tree (RFC2307) when converting IdM master to AD trust controller. At the same time, AD trust controller can designate other IdM masters to be able to resolve information about AD users and groups by promoting them to AD trust agents.

However, there is no way to configure the compatibility tree on AD trust agents to serve information about AD users and groups. As result, if legacy clients are configured to use the compatibility tree on AD trust agents as opposed to AD trust controllers, information about AD users' group membership will be missing.

We should provide means to enable this functionality in the compatibility tree on AD trust agents independently from converting AD trust agent to AD trust controller.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-06-01 07:24:59 UTC ---

Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Florence Blanc-Renaud on 2018-06-25 15:15:55 UTC ---

Upstream ticket:
https://pagure.io/freeipa/issue/7600

--- Additional comment from Florence Blanc-Renaud on 2019-03-25 17:12:29 UTC ---

RHEL-7.7 is already near the end of a Development Phase and development is being wrapped up. I am bulk-moving the Bugs which were already triaged (i.e. cloned to FreeIPA upstream tracker), but to which we did not commit to (without devel_ack) and we cannot keep them even as a stretch goal (this is what Devel CondNAK Capacity is for) for RHEL-7.7.

If you believe this particular bug should be reconsidered for 7.7, please let us know.

--- Additional comment from Alexander Bokovoy on 2020-02-11 17:23:45 UTC ---



--- Additional comment from Florence Blanc-Renaud on 2020-03-05 13:46:36 UTC ---

Fixed upstream
master:
https://pagure.io/freeipa/c/68c72e344a29e27416af428f6dbf5300c85e66e1
https://pagure.io/freeipa/c/911992b8bf33b40f650ec406444ca8b9b847b54e
https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e

The last commit adds a test in  ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall

--- Additional comment from Florence Blanc-Renaud on 2020-03-10 17:16:53 UTC ---

Fixed upstream:
ipa-4-8:
https://pagure.io/freeipa/c/66154f8bf79584b8fa6792e3d2ca534900dfa481
https://pagure.io/freeipa/c/5edc674e7262ce4506c40b8c066207f9e5f55c33
https://pagure.io/freeipa/c/4afd6e5e07061dde6e30b5352668bdf23cd6dedd

ipa-4-7:
https://pagure.io/freeipa/c/2b5c409c3031696a358d57def4dc2e98142ef643
https://pagure.io/freeipa/c/3a880ff64d44156fa274ef13ea726fe78cd37f2e
https://pagure.io/freeipa/c/59b09f154b9d85d937da64d6fe271d09c5b61bc1

ipa-4-6:
https://pagure.io/freeipa/c/d051d2d47a36c79fd2c20733437fda95f443f053
https://pagure.io/freeipa/c/f9fcd2c7fb7823becb3a6b68da4b0bf2c1db229f
https://pagure.io/freeipa/c/796c86ac701d23d1dd281d0d5c5331b9a66c2888

--- Additional comment from Florence Blanc-Renaud on 2020-03-11 08:42:40 UTC ---

Fixed upstream
master:
https://pagure.io/freeipa/c/233a18b2a24d814518a119bd3f1688a0eb361917
https://pagure.io/freeipa/c/1fbc4e01ea5be004f7c57cb71df2d37659271d68

ipa-4-8:
https://pagure.io/freeipa/c/21c923c4cf21f30f20ec4b21c488db6f6fa92b67
https://pagure.io/freeipa/c/df0df14bf31dba5800747aa08824b24b8be41eab

ipa-4-7:
https://pagure.io/freeipa/c/1fccdd00d53bc71e87ab5a4b1c68ab6e3efcce8c

ipa-4-6:
https://pagure.io/freeipa/c/79f9ba5557d14e74ab29b85407c5de5622d7ea35

On master and ipa-4-8 the additional commit handles the selinux policy changes. It was not backported to ipa-4-6 and ipa-4-7 as freeipa-selinux subpackage was introduced in ipa-4-8 only.
Comment 6 Sergey Orlov 2020-06-02 11:15:19 UTC 
Created attachment 1694387 [details]
failed_test_test_add_agent_on_stopped_replica.txt
Comment 7 Florence Blanc-Renaud 2020-06-05 08:55:13 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/dad858a70c551a00fa1cf8f1c7ac3f6122b6df24

Note: the fix is specific to ipa-4-6 branch because rhel7 is still using python2, no fix required on other branches.
Comment 8 Florence Blanc-Renaud 2020-06-05 14:50:27 UTC 
Putting back to ON_QA
Comment 9 Sergey Orlov 2020-06-08 10:28:13 UTC 
Fix verified:
ipa-server-4.6.8-4.el7.x86_64

test_integration/test_adtrust_install.py::TestIpaAdTrustInstall::test_samba_config_file PASSED [ 16%]
test_integration/test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed PASSED [ 33%]
test_integration/test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_on_stopped_replica PASSED [ 50%]
test_integration/test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_on_running_replica_without_compat PASSED [ 66%]
test_integration/test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_on_running_replica_with_compat PASSED [ 83%]
test_integration/test_adtrust_install.py::TestIpaAdTrustInstall::test_schema_compat_attribute PASSED [100%]
Comment 11 errata-xmlrpc 2020-09-29 19:59:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936
Note You need to log in before you can comment on or make changes to this bug.