Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1125317
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
... Description of problem: When fetching trusted domains with: ipa trustdomain-find <domain> ...not all trusted domains are returned due to NETR_TRUST_ATTRIBUTE_WITHIN_FOREST and NETR_TRUST_FLAG_IN_FOREST failing the filter. Version-Release number of selected component (if applicable): ipa-3.3.3-28 How reproducible: always Steps to Reproduce: 1. # ipa trust-add --type ad EXAMPLE.COM --trust-secret 2. # trustdomain-find example.com Actual results: # ipa trustdomain-find example.com Domain name: example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz Domain enabled: True Domain name: another.com Domain NetBIOS name: ANOTHER Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz Domain enabled: True ---------------------------- Number of entries returned 2 ---------------------------- Expected results: # ipa trust-fetch-domains example.com -------------------------------------------- List of trust domains successfully refreshed -------------------------------------------- Realm name: CORP.EXAMPLE.COM Domain NetBIOS name: CORP Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz Realm name: a.example.com Domain NetBIOS name: A Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz Realm name: b.example.com Domain NetBIOS name: B Domain Security Identifier: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz ---------------------------- Number of entries returned 3 ---------------------------- Additional info: I've attached a log showing what occurs when only the 2 domains are found. Workaround suggested by Alexander Bokovoy returned the expected result: As an experiment, you can try to hack on ipaserver/dcerpc.py:fetch_domains() in the result = [] for t in domains.array: if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): res = dict() res['cn'] = unicode(t.dns_name) res['ipantflatname'] = unicode(t.netbios_name) res['ipanttrusteddomainsid'] = unicode(t.sid) res['ipanttrustpartner'] = res['cn'] result.append(res) return result by removing check for (t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and adding (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY')). It would look like: if (not (t.trust_glags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): This would give you all domains that 'are in the forest' except the primary one (which we don't need as we already have it). Restart httpd after the hack and run 'ipa trust-fetch-domains <forest.root>'.
As this is a AD trust stabilization fix which is now ready, I think it should also be part of 4.0.2.
master:
ipa-4-1:
ipa-4-0:
ipa-3-3:
Metadata Update from @mkosek: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.0.2
Login to comment on this ticket.