Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1216935
Description of problem: When running # ipa trust-add --type=ad addomain.test --admin Administrator --password I get Active Directory domain administrator's password: ipa: ERROR: an internal error has occurred The error_log has [Wed Apr 29 04:26:10.180832 2015] [:error] [pid 22118] ipa: INFO: [jsonserver_session] admin@EXAMPLE.TEST: trust_del((u'addomain.test',), continue=False, version=u'2.112'): SUCCESS [Wed Apr 29 04:27:49.023131 2015] [:error] [pid 22119] ipa: ERROR: non-public: TypeError: format requires a mapping [Wed Apr 29 04:27:49.023149 2015] [:error] [pid 22119] Traceback (most recent call last): [Wed Apr 29 04:27:49.023150 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in wsgi_execute [Wed Apr 29 04:27:49.023152 2015] [:error] [pid 22119] result = self.Command[name](*args, **options) [Wed Apr 29 04:27:49.023153 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Wed Apr 29 04:27:49.023155 2015] [:error] [pid 22119] ret = self.run(*args, **options) [Wed Apr 29 04:27:49.023156 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Wed Apr 29 04:27:49.023157 2015] [:error] [pid 22119] return self.execute(*args, **options) [Wed Apr 29 04:27:49.023159 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in execute [Wed Apr 29 04:27:49.023160 2015] [:error] [pid 22119] result = self.execute_ad(full_join, *keys, **options) [Wed Apr 29 04:27:49.023161 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in execute_ad [Wed Apr 29 04:27:49.023168 2015] [:error] [pid 22119] self.realm_passwd [Wed Apr 29 04:27:49.023170 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1224, in join_ad_full_credentials [Wed Apr 29 04:27:49.023171 2015] [:error] [pid 22119] result = self.remote_domain.verify_trust(self.local_domain) [Wed Apr 29 04:27:49.023172 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023174 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023175 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023176 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023177 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023178 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023179 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023180 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023181 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023182 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023183 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023184 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023185 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023186 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023187 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023188 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023189 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in verify_trust [Wed Apr 29 04:27:49.023190 2015] [:error] [pid 22119] return self.verify_trust(another_domain) [Wed Apr 29 04:27:49.023191 2015] [:error] [pid 22119] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1028, in verify_trust [Wed Apr 29 04:27:49.023192 2015] [:error] [pid 22119] 'that has no trust information replicated yet.' % (self.validation_attempts))) [Wed Apr 29 04:27:49.023194 2015] [:error] [pid 22119] TypeError: format requires a mapping [Wed Apr 29 04:27:49.023409 2015] [:error] [pid 22119] ipa: INFO: [jsonserver_session] admin@EXAMPLE.TEST: trust_add(u'addomain.test', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.112'): TypeError in it and after adding log level =100 to /usr/share/ipa/smb.conf.empty and retrying, there is netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_ACCESS_DENIED trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_ACCESS_DENIED result : WERR_OK there. The way I managed to get this error was, having previously established trust with different IdM with the same IPA domain, and it looks like the DNS on the AD side still had _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPADOMAIN pointing to the old IdM which was kept running. Version-Release number of selected component (if applicable): ipa-server-trust-ad-4.1.0-18.el7.x86_64 How reproducible: Deterministic once I got the error. Steps to Reproduce: 1. Have a setup which would return ACCESS DENIED from AD on tcverify. 2. Run ipa trust-add. Actual results: ipa: ERROR: an internal error has occurred Expected results: Better error message explaining what the problem was. Additional info:
This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.