RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 907917 - Internal error when user triggers trusted domain communication
Summary: Internal error when user triggers trusted domain communication
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-05 14:21 UTC by Ann Marie Rubin
Modified: 2014-06-18 00:04 UTC (History)
3 users (show)

Fixed In Version: ipa-3.2.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:18:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ann Marie Rubin 2013-02-05 14:21:31 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3390

When user privileged to add group members tries to add external member is not a member of Trusted Admins, he receives an internal error:

{{{
# ipa user-show fbar
  User login: fbar
  First name: Foo
  Last name: Bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  Email address: fbar.test
  UID: 1230000003
  GID: 1230000003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk                    <<<<<<
  Kerberos keys available: True
# kinit fbar
Password for fbar.TEST: 
# ipa group-add-member ext_all_admins --external "AD\Domain Admins"
[member user]: 
[member group]: 
ipa: ERROR: an internal error has occurred

/var/log/httpd/error_log:
[Mon Feb 04 10:09:55.085035 2013] [:error] [pid 22453] Traceback (most recent call     last):
[Mon Feb 04 10:09:55.085041 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute
[Mon Feb 04 10:09:55.085046 2013] [:error] [pid 22453]     result = self.              Command[name](*args, **options)
[Mon Feb 04 10:09:55.085051 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
[Mon Feb 04 10:09:55.085056 2013] [:error] [pid 22453]     ret = self.run(*args, **    options)
[Mon Feb 04 10:09:55.085060 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
[Mon Feb 04 10:09:55.085065 2013] [:error] [pid 22453]     return self.execute(*       args, **options)
[Mon Feb 04 10:09:55.085070 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1546, in execute
[Mon Feb 04 10:09:55.085075 2013] [:error] [pid 22453]     **options)
[Mon Feb 04 10:09:55.085079 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 388, in post_callback
[Mon Feb 04 10:09:55.085084 2013] [:error] [pid 22453]     actual_sid =                domain_validator.get_trusted_domain_object_sid(sid)
[Mon Feb 04 10:09:55.085089 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 264, in get_trusted_domain_object_sid
[Mon Feb 04 10:09:55.085094 2013] [:error] [pid 22453]     components.get('flatname'), filter, attrs, scope)
[Mon Feb 04 10:09:55.085099 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 221, in get_trusted_domain_objects
[Mon Feb 04 10:09:55.085104 2013] [:error] [pid 22453]     self._domains = self.       get_trusted_domains()
[Mon Feb 04 10:09:55.085109 2013] [:error] [pid 22453]   File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 162, in get_trusted_domains
[Mon Feb 04 10:09:55.085124 2013] [:error] [pid 22453]     entry[1][self.              ATTR_TRUST_AUTHOUT][0])
[Mon Feb 04 10:09:55.085129 2013] [:error] [pid 22453] KeyError:                       'ipanttrustauthoutgoing'
[Mon Feb 04 10:09:55.085498 2013] [:error] [pid 22453] ipa: INFO: fbar.TEST:  group_add_member(u'ext_all_admins', ipaexternalmember=(u'AD\\\\Domain Admins',),       all=False, raw=False, version=u'2.47'): KeyError
}}}
Comment 1 Rob Crittenden 2013-02-20 18:26:28 UTC 
Fixed upstream.

master: a41e10f0ebdd0be543d36b3bbe795d92974b0a2e

ipa-3-1: b238fc13ef98afb0bae4c479be1fc2c7fa94468d
Comment 6 Varun Mylaraiah 2014-01-31 14:04:59 UTC 
This is the steps I followed. Let me know if I am missing anything?

-----------------------------------------
[root@rhel7ad ~]# ipa user-show fbar
  User login: fbar
  First name: Foo
  Last name: Bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  Email address: fbar
  UID: 1875600045
  GID: 1875600045
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk
  Kerberos keys available: True


[root@rhel7ad ~]# kinit fbar
Password for fbar:

[root@rhel7ad ~]# klist
Ticket cache: KEYRINGersistent:0:krb_ccache_Y7YH42Q
Default principal: fbar

Valid starting       Expires              Service principal
01/31/2014 00:22:29  02/01/2014 00:22:29  krbtgt/TESTRELM.COM


[root@rhel7ad ~]# ipa group-add-member ext_all_admins --external "IPAQE1\Administrator"
[member user]: 
[member group]: 
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'.



/var/log/httpd/error_log

[Fri Jan 31 00:23:13.974923 2014] [:error] [pid 13506] ipa: INFO: fbar: group_add_member(u'ext_all_admins', ipaexternalmember=(u'IPAQE1\\\\Administrator',), all=False, raw=False, version=u'2.65', no_members=False): ACIError
[Fri Jan 31 00:23:13.974994 2014] [:error] [pid 13506] ipa: DEBUG: response: ACIError: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'.
[Fri Jan 31 00:23:13.975645 2014] [:error] [pid 13506] ipa: DEBUG: no session id in request, generating empty session data with id=b3ef224f9bc21c11e2d694d217c86e89
[Fri Jan 31 00:23:13.975818 2014] [:error] [pid 13506] ipa: DEBUG: store session: session_id=b3ef224f9bc21c11e2d694d217c86e89 start_timestamp=2014-01-31T00:23:13 access_timestamp=2014-01-31T00:23:13 expiration_timestamp=1970-01-01T05:30:00
Comment 7 Martin Kosek 2014-02-24 16:20:02 UTC 
Yes, it should be enough. But it would be also interesting to assign role "User Administrator" to the user "fbar" so that it has the actual write permission to the membership attribute:

$ kinit admin
$ ipa role-add-member "User Administrator" --users "fbar"
$ kinit fbar
$ ipa group-add-member ext_all_admins --external "IPAQE1\Administrator"
Comment 8 Varun Mylaraiah 2014-02-26 14:46:00 UTC 
Verified in ipa-server-3.3.3-17.el7.x86_64

[root@rhel7ad ~]# kinit admin
Password for admin: 


[root@rhel7ad ~]# ipa role-add-member "User Administrator" --users "fbar"
  Role name: User Administrator
  Description: Responsible for creating Users and Groups
  Member users: fbar
  Privileges: User Administrators, Group Administrators
-------------------------
Number of members added 1
-------------------------

[root@rhel7ad ~]# kinit fbar
Password for fbar: 

[root@rhel7ad ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_zDiWSuc
Default principal: fbar

Valid starting       Expires              Service principal
02/26/2014 17:47:22  02/27/2014 17:47:22  krbtgt/TESTRELM.COM


[root@rhel7ad ~]# ipa group-add-member ext_all_admins --external "IPAQE1\Administrator"
[member user]: 
[member group]: 
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'.
Comment 9 Ludek Smid 2014-06-13 09:18:58 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.