With the update to samba 4.23.0-0.5.rc3, the 'ipa trust-add' functionality is broken. Please see details in https://pagure.io/freeipa/issue/9847 Scenario: install and configure a IPA server, configure as trust controller using ipa-adtrust-install, try to add a trust to an AD controller with 'ipa trust-add'. The call to 'ipa trust-add' fails with: ipa: ERROR: CIFS server communication error: code "3221225485", message "An invalid parameter was passed to a service or function." (both may be "None") Reproducible: Always Steps to Reproduce: 1. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders --no-dnssec-validation -a Secret123 -p Secret123 -U 2. ipa-adtrust-install 3. ipa dnsforwardzone-add ad.test --forwarder $IP_ADDR --forward-policy only 4. ipa trust-add ad.test --type ad --admin Administrator --password Actual Results: ipa: ERROR: CIFS server communication error: code "3221225485", message "An invalid parameter was passed to a service or function." (both may be "None") Expected Results: The trust should be added: ------------------------------------------------ Added Active Directory trust for realm "ad.test" ------------------------------------------------ Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-3247149954-2456180507-1505921947 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified
Please see also https://bugzilla.samba.org/show_bug.cgi?id=15902
Proposed as a Blocker for 43-beta by Fedora user abbra using the blocker tracking app because: Samba 4.23.0 is not yet released, Fedora 43 has release candidate builds. These builds broke FreeIPA trust to Active Directory due to internal refactor in Samba 4.23. This includes also Samba AD, making FreeIPA in Fedora not being able to establish trust to Samba AD in Fedora. Since this is a regression of a pretty important functionality for FreeIPA, we consider this a blocker bug. We have identified the fix (under review upstream) that is already tested to restore the FreeIPA feature.
FEDORA-2025-cb15b4a48c (samba-4.23.0-0.5.rc3.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c
FEDORA-2025-7accbc6c23 (samba-4.23.0-0.7.rc3.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7accbc6c23
FEDORA-2025-7accbc6c23 (samba-4.23.0-0.7.rc3.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
Re-opening because this is for F43 and proposed as a blocker; we can't let it be closed just because the update went out for Rawhide.
FEDORA-2025-cb15b4a48c has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cb15b4a48c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cb15b4a48c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Discussed at https://pagure.io/fedora-qa/blocker-review/issue/1903 Rejected as a Beta blocker, because this doesn't seem to hit any of the existing release criteria. Rejected as a Beta freeze exception, because this doesn't seem to need to be pushed stable before Beta is released, having it in updates-testing should be good enough.
Resetting the Beta Freeze Exception vote based on discussion in the blocker ticket.
Discussed at the 2025-09-08 (blocker / freeze exception) review meeting: This is the first part of a fix that should prevent server folks with specific FreeIPA configuration from encountering a broken upgrade process. https://meetbot-raw.fedoraproject.org//blocker-review_matrix_fedoraproject-org/2025-09-08/f43-blocker-review.2025-09-08-16.00.txt
FEDORA-2025-cb15b4a48c (freeipa-4.12.2-18.fc43 and samba-4.23.0-0.8.rc4.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.