When user privileged to add group members tries to add external member is not a member of Trusted Admins, he receives an internal error:
# ipa user-show fbar User login: fbar First name: Foo Last name: Bar Home directory: /home/fbar Login shell: /bin/sh Email address: fbar@linux.ad.test UID: 1230000003 GID: 1230000003 Account disabled: False Password: True Member of groups: ipausers Roles: helpdesk <<<<<< Kerberos keys available: True # kinit fbar Password for fbar@LINUX.AD.TEST: # ipa group-add-member ext_all_admins --external "AD\Domain Admins" [member user]: [member group]: ipa: ERROR: an internal error has occurred /var/log/httpd/error_log: [Mon Feb 04 10:09:55.085035 2013] [:error] [pid 22453] Traceback (most recent call last): [Mon Feb 04 10:09:55.085041 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute [Mon Feb 04 10:09:55.085046 2013] [:error] [pid 22453] result = self. Command[name](*args, **options) [Mon Feb 04 10:09:55.085051 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__ [Mon Feb 04 10:09:55.085056 2013] [:error] [pid 22453] ret = self.run(*args, ** options) [Mon Feb 04 10:09:55.085060 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run [Mon Feb 04 10:09:55.085065 2013] [:error] [pid 22453] return self.execute(* args, **options) [Mon Feb 04 10:09:55.085070 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1546, in execute [Mon Feb 04 10:09:55.085075 2013] [:error] [pid 22453] **options) [Mon Feb 04 10:09:55.085079 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipalib/plugins/group.py", line 388, in post_callback [Mon Feb 04 10:09:55.085084 2013] [:error] [pid 22453] actual_sid = domain_validator.get_trusted_domain_object_sid(sid) [Mon Feb 04 10:09:55.085089 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 264, in get_trusted_domain_object_sid [Mon Feb 04 10:09:55.085094 2013] [:error] [pid 22453] components.get('flatname'), filter, attrs, scope) [Mon Feb 04 10:09:55.085099 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 221, in get_trusted_domain_objects [Mon Feb 04 10:09:55.085104 2013] [:error] [pid 22453] self._domains = self. get_trusted_domains() [Mon Feb 04 10:09:55.085109 2013] [:error] [pid 22453] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 162, in get_trusted_domains [Mon Feb 04 10:09:55.085124 2013] [:error] [pid 22453] entry[1][self. ATTR_TRUST_AUTHOUT][0]) [Mon Feb 04 10:09:55.085129 2013] [:error] [pid 22453] KeyError: 'ipanttrustauthoutgoing' [Mon Feb 04 10:09:55.085498 2013] [:error] [pid 22453] ipa: INFO: fbar@LINUX.AD.TEST: group_add_member(u'ext_all_admins', ipaexternalmember=(u'AD\\\\Domain Admins',), all=False, raw=False, version=u'2.47'): KeyError
attachment freeipa-mkosek-355-2-avoid-internal-error-when-user-is-not-trust-admin.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=907917
master: a41e10f
ipa-3-1: b238fc1
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/02
Login to comment on this ticket.