freeipa

Clone
Source Code
GIT

#7264 IPA trust-add internal error (expected security.dom_sid got None)
Closed: fixed 6 years ago Opened 6 years ago by frenaud.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1509288

Description of problem: Adding trust for Windows AD fails with internal error.


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7.centos.2.2.x86_64


How reproducible:


Steps to Reproduce:
1. yum install ipa-server ipa-server-trust-ad ipa-server-dns
2. ipa-server-install --setup-dns
3. ipa-adtrust-install
3. ipa -d trust-add --type=ad --all rl.ldap.local --admin Administrator
--external=true --password

Actual results:
ipa: ERROR: an internal error has occurred


Expected results:
Established trust between AD and IPA


Additional info:

rpc reply data:
[0000] 00 00 02 00 08 00 00 00   22 00 24 00 04 00 02 00   ........ ".$.....
[0010] 22 00 24 00 08 00 02 00   00 00 00 00 03 00 00 00   ".$..... ........
[0020] 03 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0030] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0040] 00 00 00 00 12 00 00 00   00 00 00 00 11 00 00 00   ........ ........
[0050] 69 00 70 00 61 00 2E 00   72 00 6C 00 2E 00 6C 00   i.p.a... r.l...l.
[0060] 64 00 61 00 70 00 2E 00   6C 00 6F 00 63 00 61 00   d.a.p... l.o.c.a.
[0070] 6C 00 00 00 12 00 00 00   00 00 00 00 11 00 00 00   l....... ........
[0080] 69 00 70 00 61 00 2E 00   72 00 6C 00 2E 00 6C 00   i.p.a... r.l...l.
[0090] 64 00 61 00 70 00 2E 00   6C 00 6F 00 63 00 61 00   d.a.p... l.o.c.a.
[00A0] 6C 00 00 00 00 00 00 00                             l.......
[Fri Nov 03 09:29:58.558188 2017] [:error] [pid 8126] ipa: ERROR: non-public:
TypeError: default/librpc/gen_ndr/py_lsa.c:34540: Expected type
'security.dom_sid' for 'py_dom_sid' of type 'NoneType'
[Fri Nov 03 09:29:58.558272 2017] [:error] [pid 8126] Traceback (most recent
call last):
[Fri Nov 03 09:29:58.558304 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in
wsgi_execute
[Fri Nov 03 09:29:58.558312 2017] [:error] [pid 8126]     result =
command(*args, **options)
[Fri Nov 03 09:29:58.558319 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Fri Nov 03 09:29:58.558326 2017] [:error] [pid 8126]     return
self.__do_call(*args, **options)
[Fri Nov 03 09:29:58.558333 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Fri Nov 03 09:29:58.558339 2017] [:error] [pid 8126]     ret = self.run(*args,
**options)
[Fri Nov 03 09:29:58.558346 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Fri Nov 03 09:29:58.558352 2017] [:error] [pid 8126]     return
self.execute(*args, **options)
[Fri Nov 03 09:29:58.558359 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 740, in
execute
[Fri Nov 03 09:29:58.558372 2017] [:error] [pid 8126]     result =
self.execute_ad(full_join, *keys, **options)
[Fri Nov 03 09:29:58.558379 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 990, in
execute_ad
[Fri Nov 03 09:29:58.558386 2017] [:error] [pid 8126]     trust_type
[Fri Nov 03 09:29:58.558392 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1630, in
join_ad_full_credentials
[Fri Nov 03 09:29:58.558399 2017] [:error] [pid 8126]     trust_type,
trust_external)
[Fri Nov 03 09:29:58.558405 2017] [:error] [pid 8126]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1260, in
establish_trust
[Fri Nov 03 09:29:58.558411 2017] [:error] [pid 8126]     res.info_ex.sid)
[Fri Nov 03 09:29:58.558419 2017] [:error] [pid 8126] TypeError:
default/librpc/gen_ndr/py_lsa.c:34540: Expected type 'security.dom_sid' for
'py_dom_sid' of type 'NoneType'
[Fri Nov 03 09:29:58.559626 2017] [:error] [pid 8126] ipa: INFO:
[jsonserver_session] admin@IPA.RL.LDAP.LOCAL: trust_add/1(u'rl.ldap.local',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
bidirectional=True, external=True, all=True, version=u'2.228'): InternalError

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1509288
6 years ago

based on https://bugzilla.redhat.com/show_bug.cgi?id=1509288#c4 the initial reproduction step is to attempt to add trust from ad side first as "trust to MIT Kerberos".

I.e. this issue doesn't happen in all trust-add cases.

Workaround: delete trust from AD side, add trust on IPA side first.

Metadata Update from @pvoborni:
- Issue priority set to: normal
- Issue tagged with: bug
6 years ago

master:

  • 956e265 ipaserver/plugins/trust.py; fix some indenting issues
  • a57f613 trust: detect and error out when non-AD trust with IPA domain name exists
  • c19eb49 ipaserver/plugins/trust.py: pep8 compliance

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

ipa-4-5:

  • 44524b1 ipaserver/plugins/trust.py; fix some indenting issues
  • 365967f trust: detect and error out when non-AD trust with IPA domain name exists
  • e71f52f ipaserver/plugins/trust.py: pep8 compliance

ipa-4-6:

  • 0ea2e7e ipaserver/plugins/trust.py; fix some indenting issues
  • c34c1da trust: detect and error out when non-AD trust with IPA domain name exists
  • 31c2b1d ipaserver/plugins/trust.py: pep8 compliance

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.8)
6 years ago

Login to comment on this ticket.

Metadata
None

bug

None
None
normal
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1509288
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.