Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 877434 - not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great
not exact error message show up when adding an AD member to an external type ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks: 886216
  Show dependency treegraph
 
Reported: 2012-11-16 09:35 EST by Xiyang Dong
Modified: 2013-02-21 04:30 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-3.0.0-10.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:30:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 03:22:21 EST

  None (edit)
Description Xiyang Dong 2012-11-16 09:35:21 EST 
Description of problem:
when the time difference between ad and ipa server is greater than 5 minutes ,it's unable to get initial credentials.
However,both in CLI and WebUI when adding an existing ad member to an external type ipa group under the situation ,the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member.

I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created and the time difference between them is too great

In CLI:
[root@rhel ~]# ipa group-add --desc='add a external group'  test --external
------------------
Added group "test"
------------------
  Group name: test
  Description: add a external group
[root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1"
[member user]: 
[member group]: 
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain

In WebUI:
Steps:
User Groups-Click Add-Add a group with External group type-Click Add and Edit-External tab-Click Add-type aduser1-Click Add
Error message:
invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain

Both are all showing the error message as adding a non-extent external member.


In /var/log/httpd/error_log could find the error message:
[error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial credentials






Version-Release number of selected component (if applicable):
ipa-server-3.0.0-8.el6.x86_64

How reproducible:
always

Steps to Reproduce:
see discription above
  
Actual results:
when adding an existing ad member to an external type ipa group with a time difference of more than 5mins between ipa and ad  ,both in CLI and WebUI the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member.


Expected results:
Tell the reason that the add fail because clock skew too great to get the initial credentials instead of telling adding with an invalid SID.


Additional info:
Comment 3 Rob Crittenden 2012-11-20 08:09:16 EST 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3265
Comment 4 Rob Crittenden 2012-11-27 16:21:18 EST 
The kinit errors are propagated back to the user.

Fixed upstream.

master: ec20a74a599821806f62905b676ef4fd75f6c07d

ipa-3-0: 1c19d1fb2688039276bed85ca567fe38d2cb30f1
Comment 7 Steeve Goveas 2013-01-30 11:18:13 EST 
[root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 877434' test --external
------------------
Added group "test"
------------------
  Group name: test
  Description: test group for bug 877434

# Adding invalid AD user

[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2333"
[member user]: 
[member group]: 
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain

# Adding Valid existing AD user

[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser1"
[member user]: 
[member group]: 
  Group name: test
  Description: test group for bug 877434
  External member: S-1-5-21-3655990580-1375374850-1633065477-1178
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# date
Wed Jan 30 20:04:51 IST 2013

# Changed time on AD server 10 mins ahead and tried adding a second valid AD user

[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2"
[member user]: 
[member group]: 
ipa: ERROR: Insufficient access: KDC for adlab.qe denied trust account for IPA domain with a message 'kinit: Clock skew too great while getting initial credentials'

Verified on version
ipa-server-3.0.0-24.el6.x86_64
Comment 10 errata-xmlrpc 2013-02-21 04:30:04 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.