When add_trust_ad is called with admin(realm_admin) option in format name@domain an internal error is thrown.
Input command (JSON RPC format):
{"method":"trust_add_ad","params":[["ad.test"], {"realm_admin":"administrator@ad.test","realm_passwd":"aaa111AAA"}]}
Note: In this case using admin name in different format (Administrator or AD\Administrator) doesn't work either but it returns better error ('Working LSA pipe' is required).
Part of Log:
rpc fault: WERR_ACCESS_DENIED [Fri Jun 22 07:33:36 2012] [error] ipa: ERROR: non-public: RuntimeError: (-1073741790, 'Access denied') [Fri Jun 22 07:33:36 2012] [error] Traceback (most recent call last): [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 332, in wsgi_execute [Fri Jun 22 07:33:36 2012] [error] result = self.Command[name](*args, **options) [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__ [Fri Jun 22 07:33:36 2012] [error] ret = self.run(*args, **options) [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run [Fri Jun 22 07:33:36 2012] [error] return self.execute(*args, **options) [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 167, in execute [Fri Jun 22 07:33:36 2012] [error] result = trustinstance.join_ad_full_credentials(keys[-1], realm_server, realm_admin, realm_passwd) [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 311, in join_ad_full_credentials [Fri Jun 22 07:33:36 2012] [error] self.__populate_remote_domain(realm, realm_server, realm_admin, realm_passwd) [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 301, in __populate_remote_domain [Fri Jun 22 07:33:36 2012] [error] td.retrieve(rd.info['dns_hostname']) [Fri Jun 22 07:33:36 2012] [error] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 162, in retrieve [Fri Jun 22 07:33:36 2012] [error] self._policy_handle = self._pipe.OpenPolicy2(u"", objectAttribute, security.SEC_FLAG_MAXIMUM_ALLOWED) [Fri Jun 22 07:33:36 2012] [error] RuntimeError: (-1073741790, 'Access denied') [Fri Jun 22 07:33:36 2012] [error] ipa: INFO: admin@IDM.LAB.BOS.REDHAT.COM: trust_add_ad(u'ad.test', realm_admin=u'administrator@ad.test', realm_passwd=u'********'): RuntimeError
Patch is sent for review: https://www.redhat.com/archives/freeipa-devel/2012-July/msg00150.html
Pushed to master: dadfbf9
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @pvoborni: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0 Beta 2
Login to comment on this ticket.