freeipa

Clone
Source Code
GIT

#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.

Closed: fixed
Reopen Issue

Issue

Multiple nightly tests are failing when setting up a trust in SElinux enforcing mode. See PR #413:
- test_idviews: report
- test_ipahealthcheck_trust: report
- test_sssd: report
- test_trust: report

Similar logs:

RUN ['ipa', 'trust-add', '--type', 'ad', 'ad.test', '--range-type', 'ipa-ad-trust', '--admin', 'Administrator', '--password']
ipa: ERROR: error on server 'master.ipa.test': Fetching domains from trusted forest failed. See details in the error_log
Exit code: 1

with httpd's error_log:

ipa: INFO: [jsonserver_kerb] admin@IPA.TEST: trust_add/1('ad.test', trust_type='ad', realm_admin='Administrator', realm_passwd='********', range_type='ipa-ad-trust', version='2.239'): RemoteRetrieveError
failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.TEST)!, referer: https://master.ipa.test/ipa/xml
ipa: ERROR: Helper fetch_domains was called for forest ad.test, return code is 1
ipa: ERROR: Standard output from the helper:
---

ipa: ERROR: Error output from the helper:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/ipaserver/dcerpc.py", line 852, in __gen_lsa_connection
    result = lsa.lsarpc(binding, self.parm, self.creds)
samba.NTSTATUSError: (3221225485, 'An invalid parameter was passed to a service or function.')

During handling of the above exception, another exception occurred:

 Traceback (most recent call last):
  File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 314, in <module>
    domains = dcerpc.fetch_domains(
  File "/usr/lib/python3.8/site-packages/ipaserver/dcerpc.py", line 1524, in fetch_domains
    domains = communicate(td)
  File "/usr/lib/python3.8/site-packages/ipaserver/dcerpc.py", line 1484, in communicate
    td.init_lsa_pipe(td.info['dc'])
  File "/usr/lib/python3.8/site-packages/ipaserver/dcerpc.py", line 876, in init_lsa_pipe
    self._pipe = self.__gen_lsa_connection(binding)
  File "/usr/lib/python3.8/site-packages/ipaserver/dcerpc.py", line 855, in __gen_lsa_connection
    raise assess_dcerpc_error(e)
ipalib.errors.RemoteRetrieveError: CIFS server communication error: code "3221225485", message "An invalid parameter was passed to a service or function." (both may be "None")
--

ipa: INFO: [jsonserver_session] admin@IPA.TEST: trust_add/1('ad.test', trust_type='ad', realm_admin='Administrator', realm_passwd='********', range_type='ipa-ad-trust', version='2.239'): ServerCommandError

This has already been reported in https://bugzilla.redhat.com/show_bug.cgi?id=1797719
(selinux/Fedora32)

Without Samba logs it is impossible to say what's actually happened. Can we add /var/log/samba/* to the list of collected logs?

Also, running trust tests with 

[global]
log level = 10

in /usr/share/ipa/smb.conf.empty and

[global]
debug=True

in /etc/ipa/server.conf

would allow us to capture client-side issues (like this one)

also, we need to understand don't audit rules because it was supposed to be fixed with changes went in with https://pagure.io/freeipa/issue/8395

Similar error observed in [testing_master_testing_selinux] PR 526 : Logs

Similar error observed in [testing_master_testing_selinux] PR 526 : Logs
for test
- test_ipahealthcheck_adtrust
- test_integration/test_sssd.py::TestSSSDWithAdTrust : Logs

Following failures were also observed Logs
- test_integration/test_trust.py::TestTrust::test_establish_nonposix_trust
- test_integration/test_trust.py::TestTrust::test_trustdomains_found_in_nonposix_trust
- test_integration/test_trust.py::TestTrust::test_upn_in_nonposix_trust
- test_integration/test_trust.py::TestTrust::test_upn_user_authentication_in_nonposix_trust
- test_integration/test_trust.py::TestTrust::test_establish_posix_trust
- test_integration/test_trust.py::TestTrust::test_trustdomains_found_in_posix_trust
- test_integration/test_trust.py::TestTrust::test_establish_external_subdomain_trust
- test_integration/test_trust.py::TestTrust::test_establish_external_treedomain_trust
- test_integration/test_trust.py::TestTrust::test_establish_external_rootdomain_trust
- test_integration/test_trust.py::TestTrust::test_trustdomains_found_in_forest_trust_with_shared_secret
- test_integration/test_trust.py::TestTrust::test_server_option_with_unreachable_ad
Edited 3 years ago by sumedhs

Metadata Update from @frenaud:
- Issue assigned to frenaud
3 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5385
3 years ago

master:

  • add58fb selinux: modify policy to allow one-way trust

ipa-4-8:

  • 40b69f2 selinux: modify policy to allow one-way trust

ipa-4-9:

  • 952b6bd selinux: modify policy to allow one-way trust

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Another failure observed: PR633, logs

Login to comment on this ticket.

Metadata

test-failure tests

None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/5385
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.