SSSD test fails at Fedora 39 and rawhide on ipa --no-prompt group-add-member external-group --external administrator@samba.test. Same test works fine on ipa-4.10, but fails on ipa-4.11. This is still on setup phase, SSSD is not involved in anyway.
ipa --no-prompt group-add-member external-group --external administrator@samba.test
Command #7645 exited with return code 1: Command: ipa --no-prompt group-add-member external-group --external administrator@samba.test CWD: Env: Output: Error output: ipa: ERROR: an internal error has occurred
/var/log/httpd/error_log
[Wed Oct 11 10:57:26.275608 2023] [:warn] [pid 6824:tid 6981] [client 172.16.100.10:43750] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.TEST-qIYDN7)!, referer: https://master.ipa.test/ipa/xml [Wed Oct 11 10:57:26.299753 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ipa: ERROR: non-public: ValueError: Unable to parse string: 'administrator@samba.test' [Wed Oct 11 10:57:26.299777 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] Traceback (most recent call last): [Wed Oct 11 10:57:26.299781 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 407, in wsgi_execute [Wed Oct 11 10:57:26.299785 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] result = command(*args, **options) [Wed Oct 11 10:57:26.299789 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Oct 11 10:57:26.299792 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in __call__ [Wed Oct 11 10:57:26.299796 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] return self.__do_call(*args, **options) [Wed Oct 11 10:57:26.299800 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Oct 11 10:57:26.299803 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in __do_call [Wed Oct 11 10:57:26.299806 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ret = self.run(*args, **options) [Wed Oct 11 10:57:26.299810 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Oct 11 10:57:26.299813 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run [Wed Oct 11 10:57:26.299816 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] return self.execute(*args, **options) [Wed Oct 11 10:57:26.299820 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Oct 11 10:57:26.299823 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipaserver/plugins/baseldap.py", line 1829, in execute [Wed Oct 11 10:57:26.299826 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] (completed, entry_attrs.dn) = callback( [Wed Oct 11 10:57:26.299830 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^ [Wed Oct 11 10:57:26.299845 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipaserver/plugins/group.py", line 659, in post_callback [Wed Oct 11 10:57:26.299849 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] if domain_validator.is_trusted_sid_valid(sid): [Wed Oct 11 10:57:26.299852 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Wed Oct 11 10:57:26.299855 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipaserver/dcerpc.py", line 339, in is_trusted_sid_valid [Wed Oct 11 10:57:26.299859 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] self.get_domain_by_sid(sid) [Wed Oct 11 10:57:26.299862 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] File "/usr/lib/python3.12/site-packages/ipaserver/dcerpc.py", line 305, in get_domain_by_sid [Wed Oct 11 10:57:26.299866 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] test_sid = security.dom_sid(sid) [Wed Oct 11 10:57:26.299869 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ^^^^^^^^^^^^^^^^^^^^^ [Wed Oct 11 10:57:26.299872 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ValueError: Unable to parse string: 'administrator@samba.test' [Wed Oct 11 10:57:26.300013 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ipa: INFO: [jsonserver_session] admin@IPA.TEST: group_add_member/1('external-group', ipaexternalmember=('administrator@samba.test',), version='2.253'): InternalError
External member is added.
$ rpm -q freeipa-server httpd freeipa-server-4.11.0-5.fc39.x86_64 httpd-2.4.57-3.fc39.x86_64
Pull request with test: https://github.com/SSSD/sssd/pull/6943
Please note, that the test in PR CI runs against SambaDC, but the same error occurs with Active Directory as well.
Metadata Update from @frenaud: - Issue assigned to frenaud
The issue does not happen on fedora 38, event with a custom IPA 4.11 build:
# rpm -qa samba freeipa-server sssd-client sssd-client-2.9.1-1.fc38.x86_64 samba-4.18.8-1.fc38.x86_64 freeipa-server-4.11.1.dev202310171153+gitbbaee5038-0.fc38.x86_64 # ipa group-add --external myextgroup ------------------------ Added group "myextgroup" ------------------------ Group name: myextgroup # ipa --no-prompt group-add-member myextgroup --external administrator@adflo.test Group name: myextgroup External member: S-1-5-21-2886377706-3611497400-428869762-500 ------------------------- Number of members added 1 -------------------------
But it is failing on fedora 39:
# rpm -qa freeipa-server samba sssd-client sssd-client-2.9.2-1.fc39.x86_64 freeipa-server-4.11.0-4.beta1.fc39.x86_64 samba-4.19.2-1.fc39.x86_64
IPA expects a TypeError, but it throws a ValueError.
https://github.com/freeipa/freeipa/blob/master/ipaserver/dcerpc.py#L306C23-L306C23
Might be that Python 3.12 throws a different exception class now.
The root cause has been identified. samba used to raise a TypeError when the method samba.security.dom_sid() was called with a value not following the SID format, but now raises a ValueError: https://github.com/samba-team/samba/commit/9abdd6756500af1b0373bd325e5c0805755f2a4d
Ipa source code needs to be adapted to handle both exception types
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7061
master:
You also need to fix https://pagure.io/freeipa/blob/master/f/ipaserver/dcerpc.py#_97
ipa-4-11:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Issue status updated to: Open (was: Closed)
I will make a separate PR as the first one is already merged. Thanks for noticing.
Better check if there are more locations in the code :-)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-17623, https://issues.redhat.com/browse/RHEL-16985
ipa-4-10:
ipa-4-9:
Log in to comment on this ticket.