Crash when running : ipa trust-add --type=ad ad.company.com --admin <ad.user> --password
CentOS Linux release 7.1.1503 (Core)
reeipa-server-4.1.4-1.el7.centos.x86_64 freeipa-server-trust-ad-4.1.4-1.el7.centos.x86_64
AD Server -- Windows 2012
Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x60088215 (1611170325) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 0: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x000e (14) DomainNameMaxLen : 0x000e (14) DomainName : * DomainName : 'LDAPCOMPANY' WorkstationLen : 0x000e (14) WorkstationMaxLen : 0x000e (14) Workstation : * Workstation : 'LDAPCOMPANY' smb_signing_sign_pdu: sent SMB signature of [0000] 42 53 52 53 50 59 4C 20 BSRSPYL Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH smb_signing_sign_pdu: sent SMB signature of [0000] 42 53 52 53 50 59 4C 20 BSRSPYL smb_signing_activate: user_session_key [0000] 75 EB FB 69 80 3B CF 61 9D 4D 4F 39 7E D6 9C 56 u..i.;.a .MO9~..V smb_signing_activate: NULL response_data smb_signing_md5: sequence number 1 smb_signing_check_pdu: seq 1: got good SMB signature of [0000] 49 9F 1D 70 38 19 C6 31 I..p8..1 smb_signing_md5: sequence number 2 smb_signing_sign_pdu: sent SMB signature of [0000] E4 3E 06 8D 2C 15 72 41 .>..,.rA smb_signing_md5: sequence number 3 smb_signing_check_pdu: seq 3: got good SMB signature of [0000] 56 31 92 DD 2A 29 7E 25 V1..*)~% smb_signing_md5: sequence number 4 smb_signing_sign_pdu: sent SMB signature of [0000] 2D DF 40 95 7D F3 D7 2D -.@.}..- smb_signing_md5: sequence number 5 smb_signing_check_pdu: seq 5: got good SMB signature of [0000] BD FC 61 53 52 00 40 84 ..aSR.@. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 6 smb_signing_sign_pdu: sent SMB signature of [0000] 16 6B AA 30 CF 16 94 C0 .k.0.... smb_signing_md5: sequence number 7 smb_signing_check_pdu: seq 7: got good SMB signature of [0000] 30 C7 62 AD 6E 17 A3 3B 0.b.n..; rpc request data: [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 02 ........ num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 8 smb_signing_sign_pdu: sent SMB signature of [0000] 5E 6E 7A F1 03 39 36 E8 ^nz..96. smb_signing_md5: sequence number 9 smb_signing_check_pdu: seq 9: got good SMB signature of [0000] E5 B6 AB 40 90 CD D8 4E ...@...N rpc reply data: [0000] 00 00 00 00 AB 2A 01 39 02 43 A8 47 A4 69 71 AE .....*.9 .C.G.iq. [0010] 5A F3 07 50 00 00 00 00 Z..P.... rpc request data: [0000] 00 00 00 00 AB 2A 01 39 02 43 A8 47 A4 69 71 AE .....*.9 .C.G.iq. [0010] 5A F3 07 50 0C 00 Z..P.. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 10 smb_signing_sign_pdu: sent SMB signature of [0000] FF 06 D4 16 5A 74 66 A4 ....Ztf. smb_signing_md5: sequence number 11 smb_signing_check_pdu: seq 11: got good SMB signature of [0000] 63 9B 82 83 3A CA FF 08 c...:... rpc reply data: [0000] 00 00 02 00 0C 00 00 00 12 00 14 00 04 00 02 00 ........ ........ [0010] 2E 00 30 00 08 00 02 00 2E 00 30 00 0C 00 02 00 ..0..... ..0..... [0020] 18 16 09 B9 44 5F 98 48 AC 6A FA 66 A7 8D BA 0A ....D_.H .j.f.... [00C0] 61 00 2E 00 63 00 6F 00 6D 00 00 00 04 00 00 00 a...c.o. m....... [00D0] 01 04 00 00 00 00 00 05 15 00 00 00 7B ED E6 8F ........ ....{... [00E0] BC BA D4 22 D9 9E AA 23 00 00 00 00 ..."...# .... rpc request data: [0000] 00 00 00 00 AB 2A 01 39 02 43 A8 47 A4 69 71 AE .....*.9 .C.G.iq. [0010] 5A F3 07 50 06 00 Z..P.. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 12 smb_signing_sign_pdu: sent SMB signature of [0000] D9 62 61 F0 36 94 F4 19 .ba.6... smb_signing_md5: sequence number 13 smb_signing_check_pdu: seq 13: got good SMB signature of [0000] AF 95 B1 C2 64 32 2C 73 ....d2,s rpc reply data: [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........ ........ rpc request data: [0000] 00 00 00 00 AB 2A 01 39 02 43 A8 47 A4 69 71 AE .....*.9 .C.G.iq. [0010] 5A F3 07 50 32 00 32 00 00 00 02 00 19 00 00 00 Z..P2.2. ........ num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=116, this_data=116, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 14 smb_signing_sign_pdu: sent SMB signature of [0000] FF 8A 8E 23 26 FC 06 57 ...#&..W smb_signing_md5: sequence number 15 smb_signing_check_pdu: seq 15: got good SMB signature of [0000] 8A 5A 5D EB C9 AA 36 1D .Z]...6. rpc reply data: [0000] 00 00 02 00 08 00 00 00 32 00 34 00 04 00 02 00 ........ 2.4..... [0010] 32 00 34 00 08 00 02 00 00 00 00 00 03 00 00 00 2.4..... ........ [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [Thu Apr 23 04:29:01.655167 2015] [:error] [pid 22140] ipa: ERROR: non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Thu Apr 23 04:29:01.655185 2015] [:error] [pid 22140] Traceback (most recent call last): [Thu Apr 23 04:29:01.655188 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 349, in wsgi_execute [Thu Apr 23 04:29:01.655191 2015] [:error] [pid 22140] result = self.Command[name](*args, **options) [Thu Apr 23 04:29:01.655193 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Thu Apr 23 04:29:01.655196 2015] [:error] [pid 22140] ret = self.run(*args, **options) [Thu Apr 23 04:29:01.655198 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Thu Apr 23 04:29:01.655200 2015] [:error] [pid 22140] return self.execute(*args, **options) [Thu Apr 23 04:29:01.655202 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in execute [Thu Apr 23 04:29:01.655205 2015] [:error] [pid 22140] result = self.execute_ad(full_join, *keys, **options) [Thu Apr 23 04:29:01.655207 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in execute_ad [Thu Apr 23 04:29:01.655210 2015] [:error] [pid 22140] self.realm_passwd [Thu Apr 23 04:29:01.655212 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in join_ad_full_credentials [Thu Apr 23 04:29:01.655214 2015] [:error] [pid 22140] self.remote_domain.establish_trust(self.local_domain, trustdom_pass) [Thu Apr 23 04:29:01.655216 2015] [:error] [pid 22140] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in establish_trust [Thu Apr 23 04:29:01.655219 2015] [:error] [pid 22140] self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) [Thu Apr 23 04:29:01.655236 2015] [:error] [pid 22140] TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Thu Apr 23 04:29:01.655502 2015] [:error] [pid 22140] ipa: INFO: [jsonserver_kerb] admin@ldap.company.com: trust_add(u'corp.LDAPCOMPANY.com', trust_type=u'ad', realm_admin=u'<ad_user>, realm_passwd=u'********', all=False, raw=False, version=u'2.114'): TypeError
--
I'd like to see whole httpd's error_log, including whatever communication was before this step.
Also, can you reproduce this with stock ipa-server packages from CentOS 7.1? They should be equivalent to your rebuild of FreeIPA's packages but I'd like to see if a supported packages produce the same issue.
Closing due to lack of data. Please reopen if more data(see comment 1 and 2) is available.
The whole error log from AD-Trust setup in FreeIPA error_logCentOS7
Same issue but oracle logs as well error_logOracle
Replying to [comment:3 pvoborni]:
Reopening this ticket as I am encountering the same issue,
I've reproduced this error on two different OS: Oracle Linux 7.1 and CentOS 7.1 on a VMWare ESXi 5.5
With Windows 2008 R2 also on VMware ESXi 5.5
Software versions:
Oracle Linux: without DNS
ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3
ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3
CentOS 7.1: With DNS
ipa-server.x86_64 - 4.1.0-18-el7.centos.3
ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3
I've also attached logs in to this ticket. Both from OracleLinux and CentOS.
These are whole logs with "log level = 100" set in smb.conf.empty. Log files were emptied before the above command was ran. If there is any other information required please let me know.
Misc: User account is an Domain Admin account
Edit# Fedora22 also displays the same error
Edit2# Fedora 22 while running 4.2 Alpha 1 -- same error.
yes, although the original logs in the description do not contain the LSA call which are given in the attached logs (I guess the log level is different) I would assume that the reason is the same.
From the logs I got that lsa_QueryTrustedDomainInfoByName for the IPA domain to the AD DC returned
lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName out: struct lsa_QueryTrustedDomainInfoByName info : * info : * info : union lsa_TrustedDomainInfo(case 8) full_info: struct lsa_TrustDomainInfoFullInfo info_ex: struct lsa_TrustDomainInfoInfoEx domain_name: struct lsa_StringLarge length : 0x001a (26) size : 0x001c (28) string : * string : 'ipa.*redacted*' netbios_name: struct lsa_StringLarge length : 0x001a (26) size : 0x001c (28) string : * string : 'ipa.*redacted*' sid : NULL trust_direction : 0x00000003 (3) 1: LSA_TRUST_DIRECTION_INBOUND 1: LSA_TRUST_DIRECTION_OUTBOUND trust_type : LSA_TRUST_TYPE_MIT (3) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION posix_offset: struct lsa_TrustDomainInfoPosixOffset posix_offset : 0x00000000 (0) auth_info: struct lsa_TrustDomainInfoAuthInfo incoming_count : 0x00000000 (0) incoming_current_auth_info: NULL incoming_previous_auth_info: NULL outgoing_count : 0x00000000 (0) outgoing_current_auth_info: NULL outgoing_previous_auth_info: NULL result : NT_STATUS_OK
Which indicates that the AD DC already have a trust set up to a domain with the same name as the IPA domain but with type LSA_TRUST_TYPE_MIT where e.g. the domain SID and other data of the trusted domain are not available because they basically do not exist.
IPA tools should be more robust and check the trust type before trying to access data which is not always available and give a suitable error message in the case.
Nevertheless to be able to create a trust to the given AD domain with 'ipa trust-add' the Kerberos trust must be remove on the AD side first. I doubt that it would be a good idea to do this automatically on the IPA side.
Ok. Let me triage this one to next feature release, additional validation preventing user errors is always welcome.
Metadata Update from @rainmanh: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
I believe this is a duplicate of already fixed issue https://pagure.io/freeipa/issue/7264
Metadata Update from @abbra: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.