As a tester, I want to establish trust with Active Directory while operating FreeIPA in development mode so that additional checks are performed.
Establishing trust while FreeIPA server operating in development mode fails with error message "ipa: ERROR: an internal error has occurred"
Prepare Windows Server: - set Administrator password "Secret123" - configure as AD controller for domain "ad.test" - execute dnscmd 127.0.0.1 /ZoneAdd ipa.test /Forwarder IPA_SERVER_IP_ADDRESS
dnscmd 127.0.0.1 /ZoneAdd ipa.test /Forwarder IPA_SERVER_IP_ADDRESS
Setup IPA server - execute script
hostnamectl set-hostname master.ipa.test dnf install -y freeipa-* ipa-server-install -U -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --setup-dns --setup-kra --no-forwarders echo Secret.123 | kinit admin ipa-adtrust-install -a Secret123 -U sed -ire "s/dnssec-validation yes/dnssec-validation no/" /etc/named/ipa-options-ext.conf ipactl restart echo Secret.123 | kinit admin ipa dnsforwardzone-add ad.test --forwarder=AD_DC_IP_ADDRESS --forward-policy=only
sed -ire "s/mode = production/mode = development/" /etc/ipa/default.conf ipactl restart
echo Secret123 | ipa trust-add ad.test
"ipa: ERROR: an internal error has occurred"
Trust is established
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.6-2.fc34.x86_64 freeipa-client-4.9.6-2.fc34.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-2.0.7-1.fc34.x86_64 pki-ca-10.10.6-1.fc34.noarch krb5-server-1.19.1-14.fc34.x86_64
If I switch IPA server back to production mode, trust establishes successfully. If I delete trust and switch to development mode again, ipa trust-add fails again with the same error message.
ipa trust-add
This happens with selinux both in enforcing and permissive mode.
/var/log/httpd/error_log:
Tue Nov 09 15:38:10.072885 2021] [:warn] [pid 23900:tid 24089] [client 192.168.122.134:41796] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.TEST-jzGifL)!, referer: https://master.ipa.test/ipa/xml [Tue Nov 09 15:38:11.166146 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] ipa: ERROR: non-public: AttributeError: locked: cannot set trust_add.trustinstance to <ipaserver.dcerpc.TrustDomainJoins object at 0x7feedd6be5e0> [Tue Nov 09 15:38:11.166191 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] Traceback (most recent call last): [Tue Nov 09 15:38:11.166196 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 400, in wsgi_execute [Tue Nov 09 15:38:11.166201 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] result = command(*args, **options) [Tue Nov 09 15:38:11.166205 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__ [Tue Nov 09 15:38:11.166209 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] return self.__do_call(*args, **options) [Tue Nov 09 15:38:11.166255 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call [Tue Nov 09 15:38:11.166263 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] ret = self.run(*args, **options) [Tue Nov 09 15:38:11.166267 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run [Tue Nov 09 15:38:11.166271 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] return self.execute(*args, **options) [Tue Nov 09 15:38:11.166275 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 759, in execute [Tue Nov 09 15:38:11.166279 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] full_join = self.validate_options(*keys, **options) [Tue Nov 09 15:38:11.166283 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 868, in validate_options [Tue Nov 09 15:38:11.166287 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Tue Nov 09 15:38:11.166300 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] File "/usr/lib/python3.9/site-packages/ipalib/base.py", line 131, in __setattr__ [Tue Nov 09 15:38:11.166304 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] raise AttributeError( [Tue Nov 09 15:38:11.166308 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] AttributeError: locked: cannot set trust_add.trustinstance to <ipaserver.dcerpc.TrustDomainJoins object at 0x7feedd6be5e0> [Tue Nov 09 15:38:11.166866 2021] [wsgi:error] [pid 23892:tid 24368] [remote 192.168.122.134:41796] ipa: INFO: [jsonserver_session] admin@IPA.TEST: trust_add/1('ad.test', realm_admin='Secret123', realm_passwd=None, version='2.242'): InternalError
The problem is self.trustinstance. The IPA framework does not allow modifying a class instance hence this error.
Typically this is done using a context variable to ensure that it is per-request only.
Login to comment on this ticket.