Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1355753 - adding two way non transitive(external) trust displays internal error on the console
Summary: adding two way non transitive(external) trust displays internal error on the ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-12 12:38 UTC by Sudhir Menon
Modified: 2016-11-04 05:57 UTC (History)
3 users (show)

Fixed In Version: ipa-4.4.0-10.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:57:36 UTC
Target Upstream Version:


Attachments (Terms of Use)
error log (deleted)
2016-07-12 12:38 UTC, Sudhir Menon
no flags Details
ipa-server install log (deleted)
2016-07-12 12:59 UTC, Sudhir Menon
no flags Details
ipa-adtrust-install (deleted)
2016-07-12 13:00 UTC, Sudhir Menon
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-12 12:38:13 UTC
Created attachment 1178890 [details]
error log

Description of problem: adding two way transitive trust gives internal error on the console


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.4.0-1.el7.x86_64
ipa-server-dns-4.4.0-1.el7.noarch
ipa-server-common-4.4.0-1.el7.noarch
ipa-server-4.4.0-1.el7.x86_64


How reproducible: Always.

Steps to Reproduce:
1. Install ipa-server
2. ipa-adtrust-install 
3. add forward-zone for the domain to be trusted.
4. now add two-way trust

[root@server]# ipa trust-add test.qa --external='true' --two-way=true 

Actual results:

[root@server]# ipa trust-add test.qa --external='true' --two-way=true 
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
ipa: ERROR: an internal error has occurred

[root@server ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
----------------------------
Number of entries returned 1
----------------------------

[root@server ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: TEST.QA_id_range
  First Posix ID of the range: 330800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-4204873575-1158510886-1449965812
  Range type: Active Directory domain range

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 160600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

Expected results:
Although the trust gets added successfully the message
displayed on the console should be fixed.

Additional info: Attaching httpd error_log file

Comment 1 Sudhir Menon 2016-07-12 12:49:04 UTC
The issue is while adding two way non transitive (external) trust which gives internal error on the console

Comment 3 Sudhir Menon 2016-07-12 12:59:59 UTC
Created attachment 1178901 [details]
ipa-server install log

Comment 4 Sudhir Menon 2016-07-12 13:00:40 UTC
Created attachment 1178902 [details]
ipa-adtrust-install

Comment 5 Petr Vobornik 2016-07-12 15:32:59 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6057

Comment 6 Sudhir Menon 2016-07-13 08:39:46 UTC
Message displayed on the UI.
IPA Error 903: InternalError : an internal error has occurred

Comment 8 Martin Babinsky 2016-09-05 07:22:28 UTC
master:
* 33f8685513e06f6a398036a78407d61c3ac2db86 Always fetch forest info from root DCs when establishing two-way trust
* c789b17b2e28ed9008fee076a0db72fe90f7e93f factor out `populate_remote_domain` method into module-level function
* 4ca671788cc54a00de6a55a2529df6126da14d88 Always fetch forest info from root DCs when establishing one-way trust
ipa-4-4:
* 58513d3b2a72b6c15bdf5676ed63d6eb74f36ed7 Always fetch forest info from root DCs when establishing two-way trust
* 034b78e320e4868e4dee520690bb49fefc242cde factor out `populate_remote_domain` method into module-level function
* a532edf97337a80b0777fb00cc1b9e57ef8cf487 Always fetch forest info from root DCs when establishing one-way trust

Comment 10 Sudhir Menon 2016-09-14 12:31:23 UTC
Fix is seen. Verified on RHEL7.3 using

ipa-server-4.4.0-10.el7.x86_64
ipa-server-trust-ad-4.4.0-10.el7.x86_64


[root@master ~]# ipa trust-add test.qa --external='true' --two-way=true 
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
----------------------------------------
Re-established trust to domain "test.qa"
----------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@master ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: TEST.QA_id_range
  First Posix ID of the range: 330800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-4204873575-1158510886-1449965812
  Range type: Active Directory domain range

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 1306000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

Comment 12 errata-xmlrpc 2016-11-04 05:57:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.