#4114 ipasam cannot update trusted domain info when reseting trusted secret from AD DC side
Opened 8 years ago by abbra. Modified 5 years ago

When attempting to validate trust from AD DC side and reseting trust shared secret, Samba reports an error because some string conversion fails:

 [2014/01/14 15:55:32.599455, 10, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ipa_sam.c:2137(ipasam_get_trusted_domain_by_sid)
  ipasam_get_trusted_domain_by_sid called for sid S-1-5-21-2396524182-1808436206-1789356876
[2014/01/14 15:55:32.599500,  5, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
  smbldap_search_ext: base => [cn=ad,cn=trusts,dc=ipa,dc=weald,dc=vda,dc=li], filter => [(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-2396524182-1808436206-1789356876))], scope => [2]
[2014/01/14 15:55:32.599556, 11, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../source3/lib/smbldap.c:1067(smbldap_open)
  smbldap_open: already connected to the LDAP server
[2014/01/14 15:55:32.600840,  9, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ipa_sam.c:2084(fill_pdb_trusted_domain)
  Failed to set forest trust info.
[2014/01/14 15:55:32.600914,  3, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../lib/util/charset/convert_string.c:435(convert_string_talloc_handle)
  convert_string_talloc: Conversion error: Illegal multibyte sequence(4<DD><F8>ڐ<F1>ESC^D<87><8F>)
[2014/01/14 15:55:32.600953,  0, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../lib/util/charset/convert_string.c:438(convert_string_talloc_handle)
  Conversion error: Illegal multibyte sequence(4<DD><F8>ڐ<F1>ESC^D<87><8F>)
[2014/01/14 15:55:32.602160,  1, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
       lsa_QueryTrustedDomainInfoBySid: struct lsa_QueryTrustedDomainInfoBySid
          out: struct lsa_QueryTrustedDomainInfoBySid
              info                     : *
                  info                     : NULL
              result                   : NT_STATUS_INVALID_PARAMETER

This is with Fedora 20, samba 4.1.3-2.fc20 and FreeIPA from git master.


Alexander found out this issue affects IPA ability to successfully use trusts with AD 2012. We need to re-prioritize.

Not reproducible. Not clear where the issue is.

Linking with new downstream bug https://bugzilla.redhat.com/show_bug.cgi?id=1190566. Alexander may revisit this ticket when evaluating trusts with Samba DC.

Moving to 4.4 for now, abbra would like to get it working at the same time we'll get Samba AD.

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.5 backlog

5 years ago

Login to comment on this ticket.

Metadata