RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 877434 - not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great
Summary: not exact error message show up when adding an AD member to an external type ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 886216
TreeView+ depends on / blocked
 
Reported: 2012-11-16 14:35 UTC by Xiyang Dong
Modified: 2013-02-21 09:30 UTC (History)
6 users (show)

Fixed In Version: ipa-3.0.0-10.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 09:30:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 0 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Xiyang Dong 2012-11-16 14:35:21 UTC 
Description of problem:
when the time difference between ad and ipa server is greater than 5 minutes ,it's unable to get initial credentials.
However,both in CLI and WebUI when adding an existing ad member to an external type ipa group under the situation ,the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member.

I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created and the time difference between them is too great

In CLI:
[root@rhel ~]# ipa group-add --desc='add a external group'  test --external
------------------
Added group "test"
------------------
  Group name: test
  Description: add a external group
[root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1"
[member user]: 
[member group]: 
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain

In WebUI:
Steps:
User Groups-Click Add-Add a group with External group type-Click Add and Edit-External tab-Click Add-type aduser1-Click Add
Error message:
invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain

Both are all showing the error message as adding a non-extent external member.


In /var/log/httpd/error_log could find the error message:
[error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial credentials






Version-Release number of selected component (if applicable):
ipa-server-3.0.0-8.el6.x86_64

How reproducible:
always

Steps to Reproduce:
see discription above
  
Actual results:
when adding an existing ad member to an external type ipa group with a time difference of more than 5mins between ipa and ad  ,both in CLI and WebUI the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member.


Expected results:
Tell the reason that the add fail because clock skew too great to get the initial credentials instead of telling adding with an invalid SID.


Additional info:
Comment 3 Rob Crittenden 2012-11-20 13:09:16 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3265
Comment 4 Rob Crittenden 2012-11-27 21:21:18 UTC 
The kinit errors are propagated back to the user.

Fixed upstream.

master: ec20a74a599821806f62905b676ef4fd75f6c07d

ipa-3-0: 1c19d1fb2688039276bed85ca567fe38d2cb30f1
Comment 7 Steeve Goveas 2013-01-30 16:18:13 UTC 
[root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 877434' test --external
------------------
Added group "test"
------------------
  Group name: test
  Description: test group for bug 877434

# Adding invalid AD user

[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2333"
[member user]: 
[member group]: 
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain

# Adding Valid existing AD user

[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser1"
[member user]: 
[member group]: 
  Group name: test
  Description: test group for bug 877434
  External member: S-1-5-21-3655990580-1375374850-1633065477-1178
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# date
Wed Jan 30 20:04:51 IST 2013

# Changed time on AD server 10 mins ahead and tried adding a second valid AD user

[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2"
[member user]: 
[member group]: 
ipa: ERROR: Insufficient access: KDC for adlab.qe denied trust account for IPA domain with a message 'kinit: Clock skew too great while getting initial credentials'

Verified on version
ipa-server-3.0.0-24.el6.x86_64
Comment 10 errata-xmlrpc 2013-02-21 09:30:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.