#9030 Can not establish trust with AD when FreeIPA server is operating in development mode
Opened 2 years ago by sorlov. Modified 2 years ago

Request for enhancement

As a tester, I want to establish trust with Active Directory while operating FreeIPA in development mode so that additional checks are performed.

Issue

Establishing trust while FreeIPA server operating in development mode fails with error message "ipa: ERROR: an internal error has occurred"

Steps to Reproduce

  1. Prepare Windows Server:
    - set Administrator password "Secret123"
    - configure as AD controller for domain "ad.test"
    - execute dnscmd 127.0.0.1 /ZoneAdd ipa.test /Forwarder IPA_SERVER_IP_ADDRESS

  2. Setup IPA server - execute script

hostnamectl set-hostname master.ipa.test
dnf install -y freeipa-*
ipa-server-install -U -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --setup-dns --setup-kra --no-forwarders
echo Secret.123 | kinit admin
ipa-adtrust-install -a Secret123 -U
sed -ire "s/dnssec-validation yes/dnssec-validation no/" /etc/named/ipa-options-ext.conf
ipactl restart
echo Secret.123 | kinit admin
ipa dnsforwardzone-add ad.test --forwarder=AD_DC_IP_ADDRESS --forward-policy=only
  1. Switch IPA server to development mode:
sed -ire "s/mode = production/mode = development/"  /etc/ipa/default.conf
ipactl restart
  1. Try to establish trust with AD:
echo Secret123 | ipa trust-add ad.test

Actual behavior

"ipa: ERROR: an internal error has occurred"

Expected behavior

Trust is established

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

freeipa-server-4.9.6-2.fc34.x86_64
freeipa-client-4.9.6-2.fc34.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-2.0.7-1.fc34.x86_64
pki-ca-10.10.6-1.fc34.noarch
krb5-server-1.19.1-14.fc34.x86_64

Additional info:

If I switch IPA server back to production mode, trust establishes successfully. If I delete trust and switch to development mode again, ipa trust-add fails again with the same error message.

This happens with selinux both in enforcing and permissive mode.

/var/log/httpd/error_log:

Tue Nov 09 15:38:10.072885 2021] [:warn] [pid 23900:tid 24089] [client 192.168.122.134:41796] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.TEST-jzGifL)!, referer: https://master.ipa.test/ipa/xml
[Tue Nov 09 15:38:11.166146 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] ipa: ERROR: non-public: AttributeError: locked: cannot set trust_add.trustinstance to <ipaserver.dcerpc.TrustDomainJoins object at 0x7feedd6be5e0>
[Tue Nov 09 15:38:11.166191 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] Traceback (most recent call last):
[Tue Nov 09 15:38:11.166196 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 400, in wsgi_execute
[Tue Nov 09 15:38:11.166201 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     result = command(*args, **options)
[Tue Nov 09 15:38:11.166205 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
[Tue Nov 09 15:38:11.166209 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     return self.__do_call(*args, **options)
[Tue Nov 09 15:38:11.166255 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
[Tue Nov 09 15:38:11.166263 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     ret = self.run(*args, **options)
[Tue Nov 09 15:38:11.166267 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run
[Tue Nov 09 15:38:11.166271 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     return self.execute(*args, **options)
[Tue Nov 09 15:38:11.166275 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 759, in execute
[Tue Nov 09 15:38:11.166279 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     full_join = self.validate_options(*keys, **options)
[Tue Nov 09 15:38:11.166283 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 868, in validate_options
[Tue Nov 09 15:38:11.166287 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
[Tue Nov 09 15:38:11.166300 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]   File "/usr/lib/python3.9/site-packages/ipalib/base.py", line 131, in __setattr__
[Tue Nov 09 15:38:11.166304 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796]     raise AttributeError(
[Tue Nov 09 15:38:11.166308 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] AttributeError: locked: cannot set trust_add.trustinstance to <ipaserver.dcerpc.TrustDomainJoins object at 0x7feedd6be5e0>
[Tue Nov 09 15:38:11.166866 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] ipa: INFO: [jsonserver_session] admin@IPA.TEST: trust_add/1('ad.test', realm_admin='Secret123', realm_passwd=None, version='2.242'): InternalError

The problem is self.trustinstance. The IPA framework does not allow modifying a class instance hence this error.

Typically this is done using a context variable to ensure that it is per-request only.

Login to comment on this ticket.

Metadata