#7895 ipa trust fetch-domains, server parameter ignored
Closed: fixed 2 years ago by tdudlak. Opened 2 years ago by abbra.

In most Active directory environments, not all servers are reachable on every physical site/location.

The _ldap and _kerberos (and other) SRV DNS records are always presented for all AD servers. That means, if trying to establish a cross domain trust or more specifically fetching the domains after the trust is established, the --server parameter is to be used to communicate with a specific server.

While the ipa trust-add --server=ad.example.com respects the --server parameter, ipa trust fetch-domains does not. The later is automatically done by ipa trust-add.

At the end, the trust is established but not working.

Version-Release number of selected component (if applicable):
4.6

How reproducible:
Always

Steps to Reproduce:

ipa trust-add --server ad.example.com AD.EXAMPLE.COM

ipa: ERROR: error on server 'ipaserver.example.com': Fetching domains from trusted forest failed. See details in the error_log

Actual results:

ipa: ERROR: error on server 'ipaserver.example.com': Fetching domains from trusted forest failed. See details in the error_log

Expected results:

Added Active Directory trust for realm "ad.example.com"
-------------------------------------------------
Realm name: ad.example.com
Domain NetBIOS name: AD-EXAMPLE-COM
Domain Security Identifier: S-1-5-21-ZZZZZZZZZ-YYYYYYYY-XXXXXXXXX
SID blacklist incoming: 
 [..snip..]
Trust direction: One-way trust
Trust type: Active Directory domain
Trust status: Established and verified

Additional info:

In Environments where only a few AD servers are not available for IPA, just try multiple times until you hit a server which is reachable. Not a nice workaround, its rather boring


Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1686302

2 years ago

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.6

2 years ago

Looks relatively easy to fix by extending https://pagure.io/freeipa/blob/master/f/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf to pass more than one argument to the helper. Oddjobd itself treats anything passed to the helper on the command line as arguments up to the specified value. So if we add --server name option that would be two arguments in addition to the forest name. I think it makes sense to just set arguments number high enough (10-20) to allow future option extensibility.

Then we can change IPA helper https://pagure.io/freeipa/blob/master/f/install/oddjob/com.redhat.idm.trust-fetch-domains.in (it has hardcoded 1 argument) and IPA callers to pass the options.

IPA callers:
- dbus helper is https://pagure.io/freeipa/blob/master/f/ipaserver/plugins/trust.py#_421 (only accepts one argument for the forest name)
- actual call from trust_add.execute() is https://pagure.io/freeipa/blob/master/f/ipaserver/plugins/trust.py#_776
- actual call from trust_fetch_domains.execute() is https://pagure.io/freeipa/blob/master/f/ipaserver/plugins/trust.py#_1782

Also, passing existing discovered server should be preferred too. If we established trust with a specific server, we most likely should be using that for the helper runs as well because it would allow us to avoid possible replication delays on AD side and do not run discovery of AD DCs again and again.

master:

  • de4a987 oddjob: allow to pass options to trust-fetch-domains

Failed to apply patches onto origin/ipa-4-6. Manual backport is needed.

ipa-4-7:

  • 12bc3fd oddjob: allow to pass options to trust-fetch-domains

ipa-4-6:

  • 916d4f3 oddjob: allow to pass options to trust-fetch-domains

Metadata Update from @tdudlak:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

master:

  • 6c9fccc trust-fetch-domains: make sure we use right KDC when --server is specified

ipa-4-6:

  • 076cb69 trust-fetch-domains: make sure we use right KDC when --server is specified

ipa-4-7:

  • 2dcf15b trust-fetch-domains: make sure we use right KDC when --server is specified

master:

  • 843f57a ipatests: new test for trust with partially unreachable AD topology

ipa-4-6:

  • e0da5f7 ipatests: new test for trust with partially unreachable AD topology

ipa-4-7:

  • 0ae3009 ipatests: new test for trust with partially unreachable AD topology

ipa-4-8:

  • 14407bb ipatests: new test for trust with partially unreachable AD topology

ipa-4-6:

  • 795a973 ipatests: provide AD admin password when trying to establish trust

master:

  • aae30eb ipatests: provide AD admin password when trying to establish trust

ipa-4-8:

  • 814b47e ipatests: provide AD admin password when trying to establish trust

ipa-4-7:

  • db1b9fc ipatests: provide AD admin password when trying to establish trust

Login to comment on this ticket.

Metadata