Issue #4549: Properly fail in trust-add when adding the trust for AD in the same domain as IPA - freeipa

freeipa

#4549 Properly fail in trust-add when adding the trust for AD in the same domain as IPA

Closed: Fixed None Opened 9 years ago by tbabej.

<Unsupported setup>: When IPA is deployed in the same domain as AD, trust-add fails with internal error.

[Mon Sep 15 16:05:30.805029 2014] [:error] [pid 4486] ipa: ERROR: non-public: KeyError: 'ipanttrusteddomainsid'
[Mon Sep 15 16:05:30.805064 2014] [:error] [pid 4486] Traceback (most recent call last):
[Mon Sep 15 16:05:30.805067 2014] [:error] [pid 4486]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 333, in wsgi_execute
[Mon Sep 15 16:05:30.805069 2014] [:error] [pid 4486]     result = self.Command[name](*args, **options)
[Mon Sep 15 16:05:30.805070 2014] [:error] [pid 4486]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
[Mon Sep 15 16:05:30.805072 2014] [:error] [pid 4486]     ret = self.run(*args, **options)
[Mon Sep 15 16:05:30.805074 2014] [:error] [pid 4486]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 755, in run
[Mon Sep 15 16:05:30.805075 2014] [:error] [pid 4486]     result = self.execute(*args, **options)
[Mon Sep 15 16:05:30.805077 2014] [:error] [pid 4486]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 441, in execute
[Mon Sep 15 16:05:30.805078 2014] [:error] [pid 4486]     old_range, range_name, dom_sid = self.validate_range(*keys, **options)
[Mon Sep 15 16:05:30.805080 2014] [:error] [pid 4486]   File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 610, in validate_range
[Mon Sep 15 16:05:30.805081 2014] [:error] [pid 4486]     old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]
[Mon Sep 15 16:05:30.805083 2014] [:error] [pid 4486] KeyError: 'ipanttrusteddomainsid'

The reason here is that the naming of the local domain and trusted domain ranges is the same - it's always DOMAIN.NAME_id_range. When adding a trusted domain, we look for previous ranges for this domain (which may have been left behind by previous trust attempts). Since AD and IPA are in the same domain, we find a local domain range, which does not have a SID.

In this case, we should detect in trust-add that we are trying to add a trusted domain which is the same domain as the IPA's and fail out.

mkosek commented 8 years ago

During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.

mbasti commented 8 years ago

master:

9ce074b trusts: Detect domain clash with IPA domain when adding a AD trust

ipa-4-2:

5fd2a89 trusts: Detect domain clash with IPA domain when adding a AD trust

Metadata Update from @tbabej:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Metadata

Assignee

tbabej

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.2.1

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Trusts

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

mbabinsk

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1142694

tester

None

changelog

None

design

None

freeipa

Source Code

#4549 Properly fail in trust-add when adding the trust for AD in the same domain as IPA Closed: Fixed None Opened 9 years ago by tbabej.

Metadata

#4549 Properly fail in trust-add when adding the trust for AD in the same domain as IPA

Closed: Fixed None Opened 9 years ago by tbabej.