Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
when the time difference between ad and ipa server is greater than 5 minutes ,it's unable to get initial credentials.
However,both in CLI and WebUI when adding an existing ad member to an external type ipa group under the situation ,the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member.
I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created and the time difference between them is too great
In CLI:
[root@rhel ~]# ipa group-add --desc='add a external group' test --external
------------------
Added group "test"
------------------
Group name: test
Description: add a external group
[root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1"
[member user]:
[member group]:
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain
In WebUI:
Steps:
User Groups-Click Add-Add a group with External group type-Click Add and Edit-External tab-Click Add-type aduser1-Click Add
Error message:
invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain
Both are all showing the error message as adding a non-extent external member.
In /var/log/httpd/error_log could find the error message:
[error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial credentials
Version-Release number of selected component (if applicable):
ipa-server-3.0.0-8.el6.x86_64
How reproducible:
always
Steps to Reproduce:
see discription above
Actual results:
when adding an existing ad member to an external type ipa group with a time difference of more than 5mins between ipa and ad ,both in CLI and WebUI the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member.
Expected results:
Tell the reason that the add fail because clock skew too great to get the initial credentials instead of telling adding with an invalid SID.
Additional info:
The kinit errors are propagated back to the user.
Fixed upstream.
master: ec20a74a599821806f62905b676ef4fd75f6c07d
ipa-3-0: 1c19d1fb2688039276bed85ca567fe38d2cb30f1
[root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 877434' test --external
------------------
Added group "test"
------------------
Group name: test
Description: test group for bug 877434
# Adding invalid AD user
[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2333"
[member user]:
[member group]:
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain
# Adding Valid existing AD user
[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser1"
[member user]:
[member group]:
Group name: test
Description: test group for bug 877434
External member: S-1-5-21-3655990580-1375374850-1633065477-1178
-------------------------
Number of members added 1
-------------------------
[root@ibm-x3500m4-01 ~]# date
Wed Jan 30 20:04:51 IST 2013
# Changed time on AD server 10 mins ahead and tried adding a second valid AD user
[root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2"
[member user]:
[member group]:
ipa: ERROR: Insufficient access: KDC for adlab.qe denied trust account for IPA domain with a message 'kinit: Clock skew too great while getting initial credentials'
Verified on version
ipa-server-3.0.0-24.el6.x86_64
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHSA-2013-0528.html
Description of problem: when the time difference between ad and ipa server is greater than 5 minutes ,it's unable to get initial credentials. However,both in CLI and WebUI when adding an existing ad member to an external type ipa group under the situation ,the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member. I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created and the time difference between them is too great In CLI: [root@rhel ~]# ipa group-add --desc='add a external group' test --external ------------------ Added group "test" ------------------ Group name: test Description: add a external group [root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1" [member user]: [member group]: ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain In WebUI: Steps: User Groups-Click Add-Add a group with External group type-Click Add and Edit-External tab-Click Add-type aduser1-Click Add Error message: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain Both are all showing the error message as adding a non-extent external member. In /var/log/httpd/error_log could find the error message: [error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial credentials Version-Release number of selected component (if applicable): ipa-server-3.0.0-8.el6.x86_64 How reproducible: always Steps to Reproduce: see discription above Actual results: when adding an existing ad member to an external type ipa group with a time difference of more than 5mins between ipa and ad ,both in CLI and WebUI the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member. Expected results: Tell the reason that the add fail because clock skew too great to get the initial credentials instead of telling adding with an invalid SID. Additional info: