Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1509288
Description of problem: Adding trust for Windows AD fails with internal error. Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7.centos.2.2.x86_64 How reproducible: Steps to Reproduce: 1. yum install ipa-server ipa-server-trust-ad ipa-server-dns 2. ipa-server-install --setup-dns 3. ipa-adtrust-install 3. ipa -d trust-add --type=ad --all rl.ldap.local --admin Administrator --external=true --password Actual results: ipa: ERROR: an internal error has occurred Expected results: Established trust between AD and IPA Additional info: rpc reply data: [0000] 00 00 02 00 08 00 00 00 22 00 24 00 04 00 02 00 ........ ".$..... [0010] 22 00 24 00 08 00 02 00 00 00 00 00 03 00 00 00 ".$..... ........ [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 ........ ........ [0050] 69 00 70 00 61 00 2E 00 72 00 6C 00 2E 00 6C 00 i.p.a... r.l...l. [0060] 64 00 61 00 70 00 2E 00 6C 00 6F 00 63 00 61 00 d.a.p... l.o.c.a. [0070] 6C 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 l....... ........ [0080] 69 00 70 00 61 00 2E 00 72 00 6C 00 2E 00 6C 00 i.p.a... r.l...l. [0090] 64 00 61 00 70 00 2E 00 6C 00 6F 00 63 00 61 00 d.a.p... l.o.c.a. [00A0] 6C 00 00 00 00 00 00 00 l....... [Fri Nov 03 09:29:58.558188 2017] [:error] [pid 8126] ipa: ERROR: non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:34540: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Fri Nov 03 09:29:58.558272 2017] [:error] [pid 8126] Traceback (most recent call last): [Fri Nov 03 09:29:58.558304 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Fri Nov 03 09:29:58.558312 2017] [:error] [pid 8126] result = command(*args, **options) [Fri Nov 03 09:29:58.558319 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Fri Nov 03 09:29:58.558326 2017] [:error] [pid 8126] return self.__do_call(*args, **options) [Fri Nov 03 09:29:58.558333 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Fri Nov 03 09:29:58.558339 2017] [:error] [pid 8126] ret = self.run(*args, **options) [Fri Nov 03 09:29:58.558346 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Fri Nov 03 09:29:58.558352 2017] [:error] [pid 8126] return self.execute(*args, **options) [Fri Nov 03 09:29:58.558359 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 740, in execute [Fri Nov 03 09:29:58.558372 2017] [:error] [pid 8126] result = self.execute_ad(full_join, *keys, **options) [Fri Nov 03 09:29:58.558379 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 990, in execute_ad [Fri Nov 03 09:29:58.558386 2017] [:error] [pid 8126] trust_type [Fri Nov 03 09:29:58.558392 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1630, in join_ad_full_credentials [Fri Nov 03 09:29:58.558399 2017] [:error] [pid 8126] trust_type, trust_external) [Fri Nov 03 09:29:58.558405 2017] [:error] [pid 8126] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1260, in establish_trust [Fri Nov 03 09:29:58.558411 2017] [:error] [pid 8126] res.info_ex.sid) [Fri Nov 03 09:29:58.558419 2017] [:error] [pid 8126] TypeError: default/librpc/gen_ndr/py_lsa.c:34540: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Fri Nov 03 09:29:58.559626 2017] [:error] [pid 8126] ipa: INFO: [jsonserver_session] admin@IPA.RL.LDAP.LOCAL: trust_add/1(u'rl.ldap.local', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', bidirectional=True, external=True, all=True, version=u'2.228'): InternalError
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1509288
based on https://bugzilla.redhat.com/show_bug.cgi?id=1509288#c4 the initial reproduction step is to attempt to add trust from ad side first as "trust to MIT Kerberos".
I.e. this issue doesn't happen in all trust-add cases.
Workaround: delete trust from AD side, add trust on IPA side first.
Metadata Update from @pvoborni: - Issue priority set to: normal - Issue tagged with: bug
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-5:
ipa-4-6:
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.8)
Login to comment on this ticket.