#7828 ipa trust-add fails with ipa: ERROR: an internal error has occurred
Closed: fixed 8 months ago by cheimes. Opened 8 months ago by abbra.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1664023

Created attachment 1519026
/var/log/httpd/error_log

Description of problem:
ipa trust-add fails with ipa: ERROR: an internal error has occurred

Version-Release number of selected component (if applicable):
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64
ipa-server-trust-ad-4.7.1-7.module+el8+2555+b334d87b.x86_64


How reproducible:
100%

Steps to Reproduce:
1.Install IPA server and establish trust with AD
2.ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True
3.ipa dnszone-add example.test --name-server=<hostname>
--admin-email=hostmaster@example.test
4.ipa trust-add ipaad2016.test --admin Administrator --password --two-way=True

Actual results:
ipa: ERROR: an internal error has occurred

Expected results:
ipa trust-add should be successful

Additional info:
Attached error_log with log level = 50' to /usr/share/ipa/smb.conf.empty

Discussion with Dev:
Alexander Bokovoy: "So we got back entry with LSA_FOREST_TRUST_DOMAIN_INFO and
need to adapt to that. Should be simple"

Console Output:
[root@kvm-04-guest10 ~]# echo <xxxxxx> | ipa trust-add ipaad2016.test --admin
Administrator --password --two-way=True
-------------------------------------------------------
Added Active Directory trust for realm "ipaad2016.test"
-------------------------------------------------------
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]#
[root@kvm-04-guest10 ~]# ipa dnszone-add example.test
--name-server=kvm-04-guest10.realmmv073.test.
--admin-email=hostmaster@example.test
ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is
used only for setting the SOA MNAME attribute.
NS record(s) can be edited in zone apex - '@'.
  Zone name: example.test.
  Active zone: TRUE
  Authoritative nameserver: kvm-04-guest10.realmmv073.test.
  Administrator e-mail address: hostmaster.example.test
  SOA serial: 1546866033
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant REALMMV073.TEST krb5-self * A; grant
REALMMV073.TEST krb5-self * AAAA; grant
                      REALMMV073.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@kvm-04-guest10 ~]# echo <xxxxxx> | ipa trust-add ipaad2016.test --admin
Administrator --password --two-way=True
ipa: ERROR: an internal error has occurred

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1664023

8 months ago

Metadata Update from @abbra:
- Issue assigned to abbra

8 months ago

master:

  • 3c38aea ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
  • 2aa24ee make sure IPA_CONFDIR is used to check that client is configured

Failed to apply patches onto origin/ipa-4-6. Manual backport is needed.

Please backport the PR manually.

ipa-4-7:

  • e5471e6 ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
  • 736d2e0 make sure IPA_CONFDIR is used to check that client is configured

ipa-4-6:

  • d946d0d ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
  • 9f044d5 make sure IPA_CONFDIR is used to check that client is configured

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata