[Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error
David Fox
paw at 4gotten.me
Fri Jul 3 14:30:38 UTC 2015
On 2015-07-02 12:47, Sumit Bose wrote:
> On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote:
>> I am encountering issues trying to integrate FreeIPA with AD, on *nix
>> promp
>> I get "internal server rror" and within I receive the following
>> message in
>> httpd_errorlog.
>>
>
> It looks like we as AD if it already has a trust to a domain called
> 'ipa.*redacted*' and ....
>
>> rpc reply data:
>> [0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........
>> ........
>> lsa_QueryTrustedDomainInfoByName: struct
>> lsa_QueryTrustedDomainInfoByName
>> in: struct lsa_QueryTrustedDomainInfoByName
>> handle : *
>> handle: struct policy_handle
>> handle_type : 0x00000000 (0)
>> uuid :
>> 0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6
>> trusted_domain : *
>> trusted_domain: struct lsa_String
>> length : 0x001a (26)
>> size : 0x001a (26)
>> string : *
>> string : 'ipa.*redacted*'
>> level :
>> LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8)
>> rpc request data:
>> [0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........
>> ...K....
>> [0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........
>> ........
>> [0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........
>> i.p.a...
>> [0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a...
>> c.o...u.
>> [0040] 6B 00 08 00 k...
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger":
>> 0x7fdde0230710
>> s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710
>> s4_tevent: Schedule immediate event "dcerpc_io_trigger":
>> 0x7fdde0230710
>> num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
>> data_total=92, this_data=92, max_data=4280, param_offset=84,
>> param_pad=2,
>> param_disp=0, data_offset=84, data_pad=0, data_disp=0
>> s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0
>> smb_signing_md5: sequence number 14
>> smb_signing_sign_pdu: sent SMB signature of
>> [0000] B0 93 27 43 EE 4A 37 94 ..'C.J7.
>> s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
>> 0x7fdde00f5a60
>> s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710
>> s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
>> 0x7fdde00f5a60
>> smb_signing_md5: sequence number 15
>> smb_signing_check_pdu: seq 15: got good SMB signature of
>> [0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB
>> s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout"
>> s4_tevent: Schedule immediate event "tevent_req_trigger":
>> 0x7fdde050c440
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440
>> s4_tevent: Destroying timer event 0x7fdde00ef550
>> "dcerpc_timeout_handler"
>> s4_tevent: Schedule immediate event "tevent_req_trigger":
>> 0x7fdde05110e0
>> s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0
>> lsa_QueryTrustedDomainInfoByName: struct
>> lsa_QueryTrustedDomainInfoByName
>> out: struct lsa_QueryTrustedDomainInfoByName
>> info : *
>> info : *
>> info : union
>> lsa_TrustedDomainInfo(case 8)
>> full_info: struct lsa_TrustDomainInfoFullInfo
>> info_ex: struct lsa_TrustDomainInfoInfoEx
>> domain_name: struct lsa_StringLarge
>> length : 0x001a (26)
>> size : 0x001c (28)
>> string : *
>> string :
>> 'ipa.*redacted*'
>> netbios_name: struct lsa_StringLarge
>> length : 0x001a (26)
>> size : 0x001c (28)
>> string : *
>> string :
>> 'ipa.*redacted*'
>> sid : NULL
>> trust_direction : 0x00000003 (3)
>> 1: LSA_TRUST_DIRECTION_INBOUND
>> 1: LSA_TRUST_DIRECTION_OUTBOUND
>> trust_type :
>> LSA_TRUST_TYPE_MIT
>
>
> and knows this domain already because a trust to the Kerberos realm was
> already created.
>
> If possible please remove the Kerberos trust from the AD side and try
> again.
>
> Please note that you cannot have trust to two realms which share the
> same realm name.
>
> HTH
>
> bye,
> Sumit
>
>> (3)
>> trust_attributes : 0x00000000 (0)
>> 0:
>> LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
>> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
>> 0:
>> LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
>> 0:
>> LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
>> 0:
>> LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
>> 0:
>> LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
>> 0:
>> LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
>> 0:
>> LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
>> posix_offset: struct
>> lsa_TrustDomainInfoPosixOffset
>> posix_offset : 0x00000000 (0)
>> auth_info: struct lsa_TrustDomainInfoAuthInfo
>> incoming_count : 0x00000000 (0)
>> incoming_current_auth_info: NULL
>> incoming_previous_auth_info: NULL
>> outgoing_count : 0x00000000 (0)
>> outgoing_current_auth_info: NULL
>> outgoing_previous_auth_info: NULL
>> result : NT_STATUS_OK
>> rpc reply data:
>> [0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........
>> ........
>> [0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........
>> ........
>> [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
>> ........
>> [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
>> ........
>> [0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........
>> ........
>> [0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a...
>> h...
>> [0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u.
>> k.......
>> [0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........
>> i.p.a...
>> [0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ...
>> c.o...u.
>> [0090] 6B 00 00 00 00 00 00 00 k.......
>> [Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR:
>> non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected
>> type
>> 'security.dom_sid' for 'py_dom_sid' of type 'NoneType'
>> [Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most
>> recent
>> call last):
>> [Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348,
>> in
>> wsgi_execute
>> [Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result =
>> self.Command[name](*args, **options)
>> [Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in
>> __call__
>> [Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret =
>> self.run(*args, **options)
>> [Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in
>> run
>> [Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return
>> self.execute(*args, **options)
>> [Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474,
>> in
>> execute
>> [Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result =
>> self.execute_ad(full_join, *keys, **options)
>> [Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709,
>> in
>> execute_ad
>> [Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063]
>> self.realm_passwd
>> [Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in
>> join_ad_full_credentials
>> [Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063]
>> self.remote_domain.establish_trust(self.local_domain, trustdom_pass)
>> [Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File
>> "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in
>> establish_trust
>> [Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063]
>> self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)
>> [Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError:
>> default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid'
>> for
>> 'py_dom_sid' of type 'NoneType'
>> [Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO:
>> [jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*',
>> trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********',
>> all=False, raw=False, version=u'2.112'): TypeError
>>
>>
>> These are whole logs with "log level = 100" set in smb.conf.empty. Log
>> files
>> were emptied before the above command was ran. If there is any other
>> information required please let me know.
>>
>> Software versions:
>> Fedora 22: 4.1.4
>> Fedora 22: 4.2 Alpha 1
>>
>> Oracle Linux 7.1 64bit: without DNS
>> ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3
>> ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3
>>
>> CentOS 7.1 64bit: With DNS
>> ipa-server.x86_64 - 4.1.0-18-el7.centos.3
>> ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3
>>
>>
>> Regards,
>> David
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
Thank you, removed this from AD and tried the command again and this
time validated.
Cheers,
David
More information about the Freeipa-users
mailing list