#9466 Regression: group-add-member --external does not work
Closed: fixed a year ago by frenaud. Opened a year ago by pbrezina.

Issue

SSSD test fails at Fedora 39 and rawhide on ipa --no-prompt group-add-member external-group --external administrator@samba.test. Same test works fine on ipa-4.10, but fails on ipa-4.11. This is still on setup phase, SSSD is not involved in anyway.

Steps to Reproduce

  1. Setup trust with samba/ad
  2. Add external group
  3. Add external member to the external group

Actual behavior

 Command #7645 exited with return code 1:
  Command:
    ipa --no-prompt group-add-member external-group --external administrator@samba.test
  CWD:
  Env:
  Output:
  Error output:
    ipa: ERROR: an internal error has occurred

/var/log/httpd/error_log

[Wed Oct 11 10:57:26.275608 2023] [:warn] [pid 6824:tid 6981] [client 172.16.100.10:43750] failed to set perms (3140) on file (/run/ipa/ccaches/admin@IPA.TEST-qIYDN7)!, referer: https://master.ipa.test/ipa/xml
[Wed Oct 11 10:57:26.299753 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ipa: ERROR: non-public: ValueError: Unable to parse string: 'administrator@samba.test'
[Wed Oct 11 10:57:26.299777 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] Traceback (most recent call last):
[Wed Oct 11 10:57:26.299781 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipaserver/rpcserver.py", line 407, in wsgi_execute
[Wed Oct 11 10:57:26.299785 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     result = command(*args, **options)
[Wed Oct 11 10:57:26.299789 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]              ^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 11 10:57:26.299792 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 471, in __call__
[Wed Oct 11 10:57:26.299796 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     return self.__do_call(*args, **options)
[Wed Oct 11 10:57:26.299800 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 11 10:57:26.299803 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 499, in __do_call
[Wed Oct 11 10:57:26.299806 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     ret = self.run(*args, **options)
[Wed Oct 11 10:57:26.299810 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]           ^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 11 10:57:26.299813 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipalib/frontend.py", line 816, in run
[Wed Oct 11 10:57:26.299816 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     return self.execute(*args, **options)
[Wed Oct 11 10:57:26.299820 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 11 10:57:26.299823 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipaserver/plugins/baseldap.py", line 1829, in execute
[Wed Oct 11 10:57:26.299826 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     (completed, entry_attrs.dn) = callback(
[Wed Oct 11 10:57:26.299830 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]                                   ^^^^^^^^^
[Wed Oct 11 10:57:26.299845 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipaserver/plugins/group.py", line 659, in post_callback
[Wed Oct 11 10:57:26.299849 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     if domain_validator.is_trusted_sid_valid(sid):
[Wed Oct 11 10:57:26.299852 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 11 10:57:26.299855 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipaserver/dcerpc.py", line 339, in is_trusted_sid_valid
[Wed Oct 11 10:57:26.299859 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     self.get_domain_by_sid(sid)
[Wed Oct 11 10:57:26.299862 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]   File "/usr/lib/python3.12/site-packages/ipaserver/dcerpc.py", line 305, in get_domain_by_sid
[Wed Oct 11 10:57:26.299866 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]     test_sid = security.dom_sid(sid)
[Wed Oct 11 10:57:26.299869 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750]                ^^^^^^^^^^^^^^^^^^^^^
[Wed Oct 11 10:57:26.299872 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ValueError: Unable to parse string: 'administrator@samba.test'
[Wed Oct 11 10:57:26.300013 2023] [wsgi:error] [pid 6819:tid 7128] [remote 172.16.100.10:43750] ipa: INFO: [jsonserver_session] admin@IPA.TEST: group_add_member/1('external-group', ipaexternalmember=('administrator@samba.test',), version='2.253'): InternalError

Expected behavior

External member is added.

Version/Release/Distribution

$ rpm -q freeipa-server httpd
freeipa-server-4.11.0-5.fc39.x86_64
httpd-2.4.57-3.fc39.x86_64

Additional info:

Pull request with test: https://github.com/SSSD/sssd/pull/6943


Please note, that the test in PR CI runs against SambaDC, but the same error occurs with Active Directory as well.

Metadata Update from @frenaud:
- Issue assigned to frenaud

a year ago

The issue does not happen on fedora 38, event with a custom IPA 4.11 build:

# rpm -qa samba freeipa-server sssd-client
sssd-client-2.9.1-1.fc38.x86_64
samba-4.18.8-1.fc38.x86_64
freeipa-server-4.11.1.dev202310171153+gitbbaee5038-0.fc38.x86_64
# ipa group-add --external myextgroup
------------------------
Added group "myextgroup"
------------------------
  Group name: myextgroup
# ipa --no-prompt group-add-member myextgroup --external administrator@adflo.test
  Group name: myextgroup
  External member: S-1-5-21-2886377706-3611497400-428869762-500
-------------------------
Number of members added 1
-------------------------

But it is failing on fedora 39:

# rpm -qa freeipa-server samba sssd-client
sssd-client-2.9.2-1.fc39.x86_64
freeipa-server-4.11.0-4.beta1.fc39.x86_64
samba-4.19.2-1.fc39.x86_64

IPA expects a TypeError, but it throws a ValueError.

https://github.com/freeipa/freeipa/blob/master/ipaserver/dcerpc.py#L306C23-L306C23

Might be that Python 3.12 throws a different exception class now.

The root cause has been identified. samba used to raise a TypeError when the method samba.security.dom_sid() was called with a value not following the SID format, but now raises a ValueError:
https://github.com/samba-team/samba/commit/9abdd6756500af1b0373bd325e5c0805755f2a4d

Ipa source code needs to be adapted to handle both exception types

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7061

a year ago

master:

  • d50624d group-add-member fails with an external member

ipa-4-11:

  • bc69177 group-add-member fails with an external member

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @frenaud:
- Issue status updated to: Open (was: Closed)

a year ago

You also need to fix https://pagure.io/freeipa/blob/master/f/ipaserver/dcerpc.py#_97

I will make a separate PR as the first one is already merged. Thanks for noticing.

Better check if there are more locations in the code :-)

master:

  • ed6fa60 Handle samba changes in samba.security.dom_sid()

ipa-4-11:

  • c6623f9 Handle samba changes in samba.security.dom_sid()

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago
a year ago

ipa-4-10:

  • d826153 group-add-member fails with an external member
  • 71f94a3 Handle samba changes in samba.security.dom_sid()

ipa-4-9:

  • 19f575f group-add-member fails with an external member
  • 5597dbd Handle samba changes in samba.security.dom_sid()

Log in to comment on this ticket.

Metadata