[Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error
Sumit Bose
sbose at redhat.com
Fri Jul 3 15:14:08 UTC 2015
On Fri, Jul 03, 2015 at 03:30:38PM +0100, David Fox wrote:
> On 2015-07-02 12:47, Sumit Bose wrote:
> >On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote:
> >>I am encountering issues trying to integrate FreeIPA with AD, on *nix
> >>promp
> >>I get "internal server rror" and within I receive the following message
> >>in
> >>httpd_errorlog.
> >>
> >
> >It looks like we as AD if it already has a trust to a domain called
> >'ipa.*redacted*' and ....
> >
> >>rpc reply data:
> >>[0000] 00 00 02 00 06 00 00 00 03 00 00 00 00 00 00 00 ........
> >>........
> >> lsa_QueryTrustedDomainInfoByName: struct
> >>lsa_QueryTrustedDomainInfoByName
> >> in: struct lsa_QueryTrustedDomainInfoByName
> >> handle : *
> >> handle: struct policy_handle
> >> handle_type : 0x00000000 (0)
> >> uuid :
> >>0593f50d-b3c4-4b0a-b3d7-f502da1ea0e6
> >> trusted_domain : *
> >> trusted_domain: struct lsa_String
> >> length : 0x001a (26)
> >> size : 0x001a (26)
> >> string : *
> >> string : 'ipa.*redacted*'
> >> level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO
> >>(8)
> >>rpc request data:
> >>[0000] 00 00 00 00 0D F5 93 05 C4 B3 0A 4B B3 D7 F5 02 ........
> >>...K....
> >>[0010] DA 1E A0 E6 1A 00 1A 00 00 00 02 00 0D 00 00 00 ........
> >>........
> >>[0020] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........
> >>i.p.a...
> >>[0030] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 a... c.o...u.
> >>[0040] 6B 00 08 00 k...
> >>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710
> >>s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fdde00ef550
> >>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710
> >>s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fdde0230710
> >>num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
> >>data_total=92, this_data=92, max_data=4280, param_offset=84,
> >>param_pad=2,
> >>param_disp=0, data_offset=84, data_pad=0, data_disp=0
> >>s4_tevent: Added timed event "tevent_req_timedout": 0x7fdde00ee2f0
> >>smb_signing_md5: sequence number 14
> >>smb_signing_sign_pdu: sent SMB signature of
> >>[0000] B0 93 27 43 EE 4A 37 94 ..'C.J7.
> >>s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger":
> >>0x7fdde00f5a60
> >>s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fdde0230710
> >>s4_tevent: Run immediate event "tevent_queue_immediate_trigger":
> >>0x7fdde00f5a60
> >>smb_signing_md5: sequence number 15
> >>smb_signing_check_pdu: seq 15: got good SMB signature of
> >>[0000] 8F F4 5B 5F 27 39 4C 42 ..[_'9LB
> >>s4_tevent: Destroying timer event 0x7fdde00ee2f0 "tevent_req_timedout"
> >>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde050c440
> >>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde050c440
> >>s4_tevent: Destroying timer event 0x7fdde00ef550
> >>"dcerpc_timeout_handler"
> >>s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fdde05110e0
> >>s4_tevent: Run immediate event "tevent_req_trigger": 0x7fdde05110e0
> >> lsa_QueryTrustedDomainInfoByName: struct
> >>lsa_QueryTrustedDomainInfoByName
> >> out: struct lsa_QueryTrustedDomainInfoByName
> >> info : *
> >> info : *
> >> info : union
> >>lsa_TrustedDomainInfo(case 8)
> >> full_info: struct lsa_TrustDomainInfoFullInfo
> >> info_ex: struct lsa_TrustDomainInfoInfoEx
> >> domain_name: struct lsa_StringLarge
> >> length : 0x001a (26)
> >> size : 0x001c (28)
> >> string : *
> >> string :
> >>'ipa.*redacted*'
> >> netbios_name: struct lsa_StringLarge
> >> length : 0x001a (26)
> >> size : 0x001c (28)
> >> string : *
> >> string :
> >>'ipa.*redacted*'
> >> sid : NULL
> >> trust_direction : 0x00000003 (3)
> >> 1: LSA_TRUST_DIRECTION_INBOUND
> >> 1: LSA_TRUST_DIRECTION_OUTBOUND
> >> trust_type :
> >>LSA_TRUST_TYPE_MIT
> >
> >
> >and knows this domain already because a trust to the Kerberos realm was
> >already created.
> >
> >If possible please remove the Kerberos trust from the AD side and try
> >again.
> >
> >Please note that you cannot have trust to two realms which share the
> >same realm name.
> >
> >HTH
> >
> >bye,
> >Sumit
> >
> >>(3)
> >> trust_attributes : 0x00000000 (0)
> >> 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
> >> 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
> >> 0:
> >>LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
> >> 0:
> >>LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
> >> 0:
> >>LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
> >> 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
> >> 0:
> >>LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
> >> 0:
> >>LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
> >> posix_offset: struct
> >>lsa_TrustDomainInfoPosixOffset
> >> posix_offset : 0x00000000 (0)
> >> auth_info: struct lsa_TrustDomainInfoAuthInfo
> >> incoming_count : 0x00000000 (0)
> >> incoming_current_auth_info: NULL
> >> incoming_previous_auth_info: NULL
> >> outgoing_count : 0x00000000 (0)
> >> outgoing_current_auth_info: NULL
> >> outgoing_previous_auth_info: NULL
> >> result : NT_STATUS_OK
> >>rpc reply data:
> >>[0000] 00 00 02 00 08 00 00 00 1A 00 1C 00 04 00 02 00 ........
> >>........
> >>[0010] 1A 00 1C 00 08 00 02 00 00 00 00 00 03 00 00 00 ........
> >>........
> >>[0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
> >>........
> >>[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
> >>........
> >>[0040] 00 00 00 00 0E 00 00 00 00 00 00 00 0D 00 00 00 ........
> >>........
> >>[0050] 69 00 70 00 61 00 2E 00 68 00 73 00 61 00 2E 00 i.p.a... h...
> >>[0060] 63 00 6F 00 2E 00 75 00 6B 00 00 00 0E 00 00 00 c.o...u.
> >>k.......
> >>[0070] 00 00 00 00 0D 00 00 00 69 00 70 00 61 00 2E 00 ........
> >>i.p.a...
> >>[0080] 68 00 73 00 61 00 2E 00 63 00 6F 00 2E 00 75 00 ... c.o...u.
> >>[0090] 6B 00 00 00 00 00 00 00 k.......
> >>[Tue Jun 30 13:17:01.369249 2015] [:error] [pid 1063] ipa: ERROR:
> >>non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected
> >>type
> >>'security.dom_sid' for 'py_dom_sid' of type 'NoneType'
> >>[Tue Jun 30 13:17:01.369285 2015] [:error] [pid 1063] Traceback (most
> >>recent
> >>call last):
> >>[Tue Jun 30 13:17:01.369289 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in
> >>wsgi_execute
> >>[Tue Jun 30 13:17:01.369292 2015] [:error] [pid 1063] result =
> >>self.Command[name](*args, **options)
> >>[Tue Jun 30 13:17:01.369294 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in
> >>__call__
> >>[Tue Jun 30 13:17:01.369303 2015] [:error] [pid 1063] ret =
> >>self.run(*args, **options)
> >>[Tue Jun 30 13:17:01.369306 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run
> >>[Tue Jun 30 13:17:01.369308 2015] [:error] [pid 1063] return
> >>self.execute(*args, **options)
> >>[Tue Jun 30 13:17:01.369310 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in
> >>execute
> >>[Tue Jun 30 13:17:01.369313 2015] [:error] [pid 1063] result =
> >>self.execute_ad(full_join, *keys, **options)
> >>[Tue Jun 30 13:17:01.369315 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in
> >>execute_ad
> >>[Tue Jun 30 13:17:01.369318 2015] [:error] [pid 1063]
> >>self.realm_passwd
> >>[Tue Jun 30 13:17:01.369320 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in
> >>join_ad_full_credentials
> >>[Tue Jun 30 13:17:01.369323 2015] [:error] [pid 1063]
> >>self.remote_domain.establish_trust(self.local_domain, trustdom_pass)
> >>[Tue Jun 30 13:17:01.369325 2015] [:error] [pid 1063] File
> >>"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in
> >>establish_trust
> >>[Tue Jun 30 13:17:01.369327 2015] [:error] [pid 1063]
> >>self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)
> >>[Tue Jun 30 13:17:01.369330 2015] [:error] [pid 1063] TypeError:
> >>default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid'
> >>for
> >>'py_dom_sid' of type 'NoneType'
> >>[Tue Jun 30 13:17:01.369648 2015] [:error] [pid 1063] ipa: INFO:
> >>[jsonserver_session] admin at IPA.*redacted*: trust_add(u'*redacted*',
> >>trust_type=u'ad', realm_admin=u'*redacted*', realm_passwd=u'********',
> >>all=False, raw=False, version=u'2.112'): TypeError
> >>
> >>
> >>These are whole logs with "log level = 100" set in smb.conf.empty. Log
> >>files
> >>were emptied before the above command was ran. If there is any other
> >>information required please let me know.
> >>
> >>Software versions:
> >>Fedora 22: 4.1.4
> >>Fedora 22: 4.2 Alpha 1
> >>
> >>Oracle Linux 7.1 64bit: without DNS
> >>ipa-server.x86_64 - 4.1.0-18.0.1-el17_1.3
> >>ipa-server-trust-ad.x86_64 - 4.1.0-18.0.1-el17_1.3
> >>
> >>CentOS 7.1 64bit: With DNS
> >>ipa-server.x86_64 - 4.1.0-18-el7.centos.3
> >>ipa-server-trust-ad.x86_64 - 4.1.0-18-el7.centos.3
> >>
> >>
> >>Regards,
> >>David
> >>
> >>--
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
>
> Thank you, removed this from AD and tried the command again and this time
> validated.
Thank you for the feedback, glad I could help. Thanks for finding and
reopening https://fedorahosted.org/freeipa/ticket/4999. I've added a
comment about the reason of this issue.
bye,
Sumit
>
> Cheers,
> David
More information about the Freeipa-users
mailing list