An AD administrator that is setup to act as an IPA admin (idoverride in the admins group) blocks the management of the admins group on replicas without adtrust setup.
ipa: ERROR: Anchor ':SID:S-1-5-21-3905018495-1585182505-3340604678-500' could not be resolved.
The group-add-member command unexpectedly adds the user with the error message. The group-remove-member also reports the same error, but does not remove the user again.
Also the group-show command fails:
$ ipa group-show admins --all ipa: ERROR: Anchor ':SID:S-1-5-21-3905018495-1585182505-3340604678-500' could not be resolved. $ echo $? 2
No errors, expected output and consistent behavior.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.11.0-5.el9.x86_64 ipa-client-4.11.0-5.el9.x86_64 389-ds-base-2.4.5-3.el9.x86_64 krb5-server-1.21.1-1.el9.x86_64
This is an issue for ansible-freeipa ipagroup module.
- name: Ensure testuser is in admins group ipagroup: ipaadmin_password: SomeADMINpassword name: admins action: member user: - testuser
fatal: [replica1.lin.ipa.test]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "Anchor ':SID:S-1-5-21-3905018495-1585182505-3340604678-500' could not be resolved."}
It will be needed to either ignore missing SIDs, or to enforce the use of trust agents on all the servers.
This most likely also affects role.
I'd suggest you add a 'fix' on ansible-freeipa side. It is perfectly fine to have a topology where some servers do have trust agent roles and some do not have them. This is by design: there are deployments where you might not want a part of the topology to be accessible to AD users, including resolution of their identities. This is why a default configuration is to not possess 'trust agent' or 'trust controller' role.
Metadata Update from @abbra: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Metadata Update from @twoerner: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue status updated to: Open (was: Closed)
The -add-member and -remove-member, -show and -find commands are not doing what they are supposed to do. This is a bug that needs to be fixed.
It is not possible to generate the missing output of the show and find commands without reimplementing a big part of or the whole commands.
So what we have here is that a non-agent replica gets a request which uses a valid ticket (for AD user) and LDAP server permits to add entries using this ticket because underlying LDAP structure is correct: ID override is present and is a member of the group that is used to check a role/privilege/permission at LDAP level. What is not working is a resolution of the user represented by this ticket back to a name (principal).
Can you provide debug level log from httpd error_log?
error_log
[root@replica1 ~]# ipa group-add-member admins --users=testuser ipa: ERROR: Anchor ':SID:S-1-5-21-3905018495-1585182505-3340604678-500' could not be resolved.
[Mon Feb 26 07:14:46.112474 2024] [:warn] [pid 9875:tid 10102] [client 192.168.153.11:54410] failed to set perms (3140) on file (/run/ipa/ccaches/admin@LIN.IPA.TEST-kjvVsW)!, referer: https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:14:46.119481 2024] [wsgi:error] [pid 9871:tid 10486] [remote 192.168.153.11:54410] ipa: INFO: [jsonserver_session] admin@LIN.IPA.TEST: ping(): SUCCESS [Mon Feb 26 07:14:46.120464 2024] [:warn] [pid 9875:tid 10103] [client 192.168.153.11:54410] failed to set perms (3140) on file (/run/ipa/ccaches/admin@LIN.IPA.TEST-kjvVsW)!, referer: https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:14:46.378754 2024] [wsgi:error] [pid 13540:tid 13544] [remote 192.168.153.11:54410] ipa: INFO: [jsonserver_session] admin@LIN.IPA.TEST: group_add_member/1('admins', version='2.253', user=('testuser',)): NotFound
[root@replica1 ~]# ipa user-show testuser User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser@LIN.IPA.TEST Principal alias: testuser@LIN.IPA.TEST Email address: testuser@lin.ipa.test UID: 486500500 GID: 486500500 Account disabled: False Password: False Member of groups: admins, ipausers Kerberos keys available: False
I will enable debug
[Mon Feb 26 07:20:09.815022 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: WSGI wsgi_dispatch.call: [Mon Feb 26 07:20:09.815060 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: WSGI jsonserver_session.call: [Mon Feb 26 07:20:09.815085 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: Valid Referer https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:20:09.819873 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: Created connection context.ldap2_139983542769120 [Mon Feb 26 07:20:09.819906 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: WSGI jsonserver.call: [Mon Feb 26 07:20:09.819923 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: WSGI WSGIExecutioner.call: [Mon Feb 26 07:20:09.822499 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: raw: group_remove_member('admins', version='2.253', user=('testuser',)) [Mon Feb 26 07:20:09.822593 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: group_remove_member('admins', all=False, raw=False, version='2.253', no_members=False, user=('testuser',)) [Mon Feb 26 07:20:09.822880 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: raw: group_show('admins', version='2.253') [Mon Feb 26 07:20:09.822939 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: group_show('admins', rights=False, all=False, raw=False, version='2.253', no_members=False) [Mon Feb 26 07:20:09.836282 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Mon Feb 26 07:20:09.836301 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 417, in wsgi_execute [Mon Feb 26 07:20:09.836303 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] result = command(args, options) [Mon Feb 26 07:20:09.836304 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in call [Mon Feb 26 07:20:09.836306 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] return self.__do_call(*args, options) [Mon Feb 26 07:20:09.836307 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call [Mon Feb 26 07:20:09.836314 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ret = self.run(args, options) [Mon Feb 26 07:20:09.836316 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 816, in run [Mon Feb 26 07:20:09.836317 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] return self.execute(*args, options) [Mon Feb 26 07:20:09.836319 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 1887, in execute [Mon Feb 26 07:20:09.836321 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] dn = callback(self, ldap, dn, member_dns, failed, keys, options) [Mon Feb 26 07:20:09.836322 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/group.py", line 693, in pre_callback [Mon Feb 26 07:20:09.836324 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] result = api.Command.group_show(protected_group_name) [Mon Feb 26 07:20:09.836326 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in call [Mon Feb 26 07:20:09.836328 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] return self.__do_call(*args, options) [Mon Feb 26 07:20:09.836333 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call [Mon Feb 26 07:20:09.836335 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ret = self.run(args, options) [Mon Feb 26 07:20:09.836339 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 816, in run [Mon Feb 26 07:20:09.836341 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] return self.execute(*args, options) [Mon Feb 26 07:20:09.836342 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 1442, in execute [Mon Feb 26 07:20:09.836344 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] self.obj.convert_attribute_members(entry_attrs, keys, *options) [Mon Feb 26 07:20:09.836355 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 754, in convert_attribute_members [Mon Feb 26 07:20:09.836364 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] new_value = ldap_obj.get_primary_key_from_dn(memberdn) [Mon Feb 26 07:20:09.836367 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/idviews.py", line 889, in get_primary_key_from_dn [Mon Feb 26 07:20:09.836373 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] return resolve_anchor_to_object_name(self.backend, [Mon Feb 26 07:20:09.836380 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/idviews.py", line 697, in resolve_anchor_to_object_name [Mon Feb 26 07:20:09.836440 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] raise errors.NotFound( [Mon Feb 26 07:20:09.836441 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipalib.errors.NotFound: Anchor ':SID:S-1-5-21-3905018495-1585182505-3340604678-500' could not be resolved. [Mon Feb 26 07:20:09.836444 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] [Mon Feb 26 07:20:09.836558 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: INFO: [jsonserver_session] admin@LIN.IPA.TEST: group_remove_member/1('admins', version='2.253', user=('testuser',)): NotFound [Mon Feb 26 07:20:09.836582 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: [jsonserver_session] admin@LIN.IPA.TEST: group_remove_member/1('admins', version='2.253', user=('testuser',)): NotFound etime=16573667 [Mon Feb 26 07:20:09.836997 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:51620] ipa: DEBUG: Destroyed connection context.ldap2_139983542769120
[Mon Feb 26 07:21:11.922797 2024] [:warn] [pid 14143:tid 14291] [client 192.168.153.11:39534] failed to set perms (3140) on file (/run/ipa/ccaches/admin@LIN.IPA.TEST-kjvVsW)!, referer: https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:21:11.923160 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI wsgi_dispatch.call: [Mon Feb 26 07:21:11.923208 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI jsonserver_session.call: [Mon Feb 26 07:21:11.923249 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: Valid Referer https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:21:11.928269 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: Created connection context.ldap2_139983542764976 [Mon Feb 26 07:21:11.928318 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI jsonserver.call: [Mon Feb 26 07:21:11.928342 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI WSGIExecutioner.call: [Mon Feb 26 07:21:11.928625 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: raw: ping(version='2.253') [Mon Feb 26 07:21:11.928747 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: ping(version='2.253') [Mon Feb 26 07:21:11.928838 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: INFO: [jsonserver_session] admin@LIN.IPA.TEST: ping(): SUCCESS [Mon Feb 26 07:21:11.928866 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: [jsonserver_session] admin@LIN.IPA.TEST: ping(): SUCCESS etime=463347 [Mon Feb 26 07:21:11.929304 2024] [wsgi:error] [pid 14137:tid 14409] [remote 192.168.153.11:39534] ipa: DEBUG: Destroyed connection context.ldap2_139983542764976 [Mon Feb 26 07:21:11.930649 2024] [:warn] [pid 14143:tid 14292] [client 192.168.153.11:39534] failed to set perms (3140) on file (/run/ipa/ccaches/admin@LIN.IPA.TEST-kjvVsW)!, referer: https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:21:11.931067 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI wsgi_dispatch.call: [Mon Feb 26 07:21:11.931112 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI jsonserver_session.call: [Mon Feb 26 07:21:11.931153 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: Valid Referer https://replica1.lin.ipa.test/ipa/xml [Mon Feb 26 07:21:11.936101 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: Created connection context.ldap2_139983542769120 [Mon Feb 26 07:21:11.936140 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI jsonserver.call: [Mon Feb 26 07:21:11.936166 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI WSGIExecutioner.call: [Mon Feb 26 07:21:11.936337 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: raw: group_add_member('admins', version='2.253', user=('testuser',)) [Mon Feb 26 07:21:11.936483 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: group_add_member('admins', all=False, raw=False, version='2.253', no_members=False, user=('testuser',)) [Mon Feb 26 07:21:11.936841 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: add_entry_to_group: dn=uid=testuser,cn=users,cn=accounts,dc=lin,dc=ipa,dc=test group_dn=cn=admins,cn=groups,cn=accounts,dc=lin,dc=ipa,dc=test member_attr=member [Mon Feb 26 07:21:12.189397 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Mon Feb 26 07:21:12.189427 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 417, in wsgi_execute [Mon Feb 26 07:21:12.189429 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] result = command(args, options) [Mon Feb 26 07:21:12.189431 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in call [Mon Feb 26 07:21:12.189433 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] return self.__do_call(*args, options) [Mon Feb 26 07:21:12.189434 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call [Mon Feb 26 07:21:12.189436 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ret = self.run(args, options) [Mon Feb 26 07:21:12.189438 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 816, in run [Mon Feb 26 07:21:12.189439 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] return self.execute(*args, options) [Mon Feb 26 07:21:12.189441 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 1833, in execute [Mon Feb 26 07:21:12.189443 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] self.obj.convert_attribute_members(entry_attrs, keys, *options) [Mon Feb 26 07:21:12.189444 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 754, in convert_attribute_members [Mon Feb 26 07:21:12.189446 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] new_value = ldap_obj.get_primary_key_from_dn(memberdn) [Mon Feb 26 07:21:12.189453 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/idviews.py", line 889, in get_primary_key_from_dn [Mon Feb 26 07:21:12.189460 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] return resolve_anchor_to_object_name(self.backend, [Mon Feb 26 07:21:12.189462 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] File "/usr/lib/python3.9/site-packages/ipaserver/plugins/idviews.py", line 697, in resolve_anchor_to_object_name [Mon Feb 26 07:21:12.189464 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] raise errors.NotFound( [Mon Feb 26 07:21:12.189466 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipalib.errors.NotFound: Anchor ':SID:S-1-5-21-3905018495-1585182505-3340604678-500' could not be resolved. [Mon Feb 26 07:21:12.189467 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] [Mon Feb 26 07:21:12.189544 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: INFO: [jsonserver_session] admin@LIN.IPA.TEST: group_add_member/1('admins', version='2.253', user=('testuser',)): NotFound [Mon Feb 26 07:21:12.189578 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: [jsonserver_session] admin@LIN.IPA.TEST: group_add_member/1('admins', version='2.253', user=('testuser',)): NotFound etime=253319320 [Mon Feb 26 07:21:12.189986 2024] [wsgi:error] [pid 14141:tid 14412] [remote 192.168.153.11:39534] ipa: DEBUG: Destroyed connection context.ldap2_139983542769120
thanks, so this is as I worried would be from convert_attribute_members call to resolve ID via get_primary_key_from_dn and then resolve_anchor_to_object_name. Since we cannot resolve SID, we cannot return this anchor's name directly.
convert_attribute_members
get_primary_key_from_dn
resolve_anchor_to_object_name
This looks similar to a previous issue where Web UI wanted to resolve the SIDs and it took a lot of time. We can use ipaOriginalUid value in case DCERPC bindings are missing, by assuming it is an existing ID override.
Upstream PR: https://github.com/freeipa/freeipa/pull/7253
master:
ipa-4-11:
ipa-4-10:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-9:
Log in to comment on this ticket.