When attempting to validate trust from AD DC side and reseting trust shared secret, Samba reports an error because some string conversion fails:
[2014/01/14 15:55:32.599455, 10, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ipa_sam.c:2137(ipasam_get_trusted_domain_by_sid) ipasam_get_trusted_domain_by_sid called for sid S-1-5-21-2396524182-1808436206-1789356876 [2014/01/14 15:55:32.599500, 5, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext) smbldap_search_ext: base => [cn=ad,cn=trusts,dc=ipa,dc=weald,dc=vda,dc=li], filter => [(&(objectClass=ipaNTTrustedDomain)(ipaNTTrustedDomainSID=S-1-5-21-2396524182-1808436206-1789356876))], scope => [2] [2014/01/14 15:55:32.599556, 11, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../source3/lib/smbldap.c:1067(smbldap_open) smbldap_open: already connected to the LDAP server [2014/01/14 15:55:32.600840, 9, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ipa_sam.c:2084(fill_pdb_trusted_domain) Failed to set forest trust info. [2014/01/14 15:55:32.600914, 3, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../lib/util/charset/convert_string.c:435(convert_string_talloc_handle) convert_string_talloc: Conversion error: Illegal multibyte sequence(4<DD><F8>ڐ<F1>ESC^D<87><8F>) [2014/01/14 15:55:32.600953, 0, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../lib/util/charset/convert_string.c:438(convert_string_talloc_handle) Conversion error: Illegal multibyte sequence(4<DD><F8>ڐ<F1>ESC^D<87><8F>) [2014/01/14 15:55:32.602160, 1, pid=13817, effective(948600000, 948600000), real(948600000, 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug) lsa_QueryTrustedDomainInfoBySid: struct lsa_QueryTrustedDomainInfoBySid out: struct lsa_QueryTrustedDomainInfoBySid info : * info : NULL result : NT_STATUS_INVALID_PARAMETER
This is with Fedora 20, samba 4.1.3-2.fc20 and FreeIPA from git master.
Alexander found out this issue affects IPA ability to successfully use trusts with AD 2012. We need to re-prioritize.
Not reproducible. Not clear where the issue is.
Linking with new downstream bug https://bugzilla.redhat.com/show_bug.cgi?id=1190566. Alexander may revisit this ticket when evaluating trusts with Samba DC.
Moving to 4.4 for now, abbra would like to get it working at the same time we'll get Samba AD.
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.