When establishing one-way trust, the oddjob helper script that should fetch trusted forest topology info (like UPN suffixes) does not work due to absent ldap2 backend. This can be seen when trying to run the helper directly using oddjob-request:
oddjob_request -i com.redhat.idm.trust.fetch_domains -s com.redhat.idm.trust -o / com.redhat.idm.trust.fetch_domains ad.realm WARNING: yacc table file version is out of date Traceback (most recent call last): File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 127, in <module> api.Backend.ldap2.connect(ccache_name) File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 330, in __getattr__ raise AttributeError(key) AttributeError: ldap2
This causes trust-add to not populate the trust object with all the data, in particular the ipantadditionalsuffixes attribute.
trust-add
ipantadditionalsuffixes
Steps to reproduce:
1.) install IPA server
2.) run ipa-adtrust-install and establish a trust to some AD domain
3.) run the following command against trusted AD domain
oddjob_request -i com.redhat.idm.trust.fetch_domains -s com.redhat.idm.trust -o com.redhat.idm.trust.fetch_domains <ad.domain.name>
Expected results:
There should be no output by default. With 'log level = 100' in smb.conf, one should see plenty of output from communication with AD DC.
Actual result:
Traceback seen above
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1356899 (Red Hat Enterprise Linux 7)
master:
Metadata Update from @mbabinsk: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.