#5013 ipa trust-add shows ipa: ERROR: an internal error has occurred
Closed: Fixed None Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1216935

Description of problem:

When running

# ipa trust-add --type=ad addomain.test --admin Administrator --password

I get

Active Directory domain administrator's password:
ipa: ERROR: an internal error has occurred

The error_log has

[Wed Apr 29 04:26:10.180832 2015] [:error] [pid 22118] ipa: INFO:
[jsonserver_session] admin@EXAMPLE.TEST: trust_del((u'addomain.test',),
continue=False, version=u'2.112'): SUCCESS
[Wed Apr 29 04:27:49.023131 2015] [:error] [pid 22119] ipa: ERROR: non-public:
TypeError: format requires a mapping
[Wed Apr 29 04:27:49.023149 2015] [:error] [pid 22119] Traceback (most recent
call last):
[Wed Apr 29 04:27:49.023150 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in
wsgi_execute
[Wed Apr 29 04:27:49.023152 2015] [:error] [pid 22119]     result =
self.Command[name](*args, **options)
[Wed Apr 29 04:27:49.023153 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__
[Wed Apr 29 04:27:49.023155 2015] [:error] [pid 22119]     ret =
self.run(*args, **options)
[Wed Apr 29 04:27:49.023156 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run
[Wed Apr 29 04:27:49.023157 2015] [:error] [pid 22119]     return
self.execute(*args, **options)
[Wed Apr 29 04:27:49.023159 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in
execute
[Wed Apr 29 04:27:49.023160 2015] [:error] [pid 22119]     result =
self.execute_ad(full_join, *keys, **options)
[Wed Apr 29 04:27:49.023161 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in
execute_ad
[Wed Apr 29 04:27:49.023168 2015] [:error] [pid 22119]     self.realm_passwd
[Wed Apr 29 04:27:49.023170 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1224, in
join_ad_full_credentials
[Wed Apr 29 04:27:49.023171 2015] [:error] [pid 22119]     result =
self.remote_domain.verify_trust(self.local_domain)
[Wed Apr 29 04:27:49.023172 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023174 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023175 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023176 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023177 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023178 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023179 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023180 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023181 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023182 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023183 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023184 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023185 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023186 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023187 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023188 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023189 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1025, in
verify_trust
[Wed Apr 29 04:27:49.023190 2015] [:error] [pid 22119]     return
self.verify_trust(another_domain)
[Wed Apr 29 04:27:49.023191 2015] [:error] [pid 22119]   File
"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1028, in
verify_trust
[Wed Apr 29 04:27:49.023192 2015] [:error] [pid 22119]     'that has no trust
information replicated yet.' % (self.validation_attempts)))
[Wed Apr 29 04:27:49.023194 2015] [:error] [pid 22119] TypeError: format
requires a mapping
[Wed Apr 29 04:27:49.023409 2015] [:error] [pid 22119] ipa: INFO:
[jsonserver_session] admin@EXAMPLE.TEST: trust_add(u'addomain.test',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
all=False, raw=False, version=u'2.112'): TypeError

in it and after adding log level =100 to /usr/share/ipa/smb.conf.empty and
retrying, there is

     netr_LogonControl2Ex: struct netr_LogonControl2Ex
        out: struct netr_LogonControl2Ex
            query                    : *
                query                    : union
netr_CONTROL_QUERY_INFORMATION(case 2)
                info2                    : *
                    info2: struct netr_NETLOGON_INFO_2
                        flags                    : 0x00000080 (128)
                               0: NETLOGON_REPLICATION_NEEDED
                               0: NETLOGON_REPLICATION_IN_PROGRESS
                               0: NETLOGON_FULL_SYNC_REPLICATION
                               0: NETLOGON_REDO_NEEDED
                               0: NETLOGON_HAS_IP
                               0: NETLOGON_HAS_TIMESERV
                               0: NETLOGON_DNS_UPDATE_FAILURE
                               1: NETLOGON_VERIFY_STATUS_RETURNED
                        pdc_connection_status    : WERR_ACCESS_DENIED
                        trusted_dc_name          : *
                            trusted_dc_name          : ''
                        tc_connection_status     : WERR_ACCESS_DENIED
            result                   : WERR_OK

there.

The way I managed to get this error was, having previously established trust
with different IdM with the same IPA domain, and it looks like the DNS on the
AD side still had
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.$IPADOMAIN pointing to the
old IdM which was kept running.

Version-Release number of selected component (if applicable):

ipa-server-trust-ad-4.1.0-18.el7.x86_64

How reproducible:

Deterministic once I got the error.

Steps to Reproduce:
1. Have a setup which would return ACCESS DENIED from AD on tcverify.
2. Run ipa trust-add.

Actual results:

ipa: ERROR: an internal error has occurred

Expected results:

Better error message explaining what the problem was.

Additional info:

This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.

master:

  • 1299c60 dcerpc: Expand explanation for WERR_ACCESS_DENIED

ipa-4-2:

  • 0eec93e dcerpc: Expand explanation for WERR_ACCESS_DENIED

Metadata Update from @pvoborni:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata