Bug 1030517
| Summary: | RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 characters | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||
| Component: | ipa | Assignee: | Sumit Bose <sbose> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | abokovoy, mkosek, rcritten, sbose, tbabej | ||||
| Target Milestone: | rc | Flags: | abokovoy:
needinfo+
|
||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-3.3.3-14.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 12:00:20 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Scott Poore
2013-11-14 15:45:00 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4028 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/71481a0aa497a579ded42500b5b8f8c6807c825d ipa-3-3: https://fedorahosted.org/freeipa/changeset/313f2e76355b4da4db7448b0b0cedc825d39db9f With this fix to cut down the netbios name of the host, how can I confirm the name has been shortened? I installed ipa-server-3.3.3-8.el7.x86_64 but, I still do not see user name lookup work: [root@long-host-name12345678 sssd]# getent passwd 'AD2\Administrator' [root@long-host-name12345678 sssd]# And when I check the logs: [root@long-host-name12345678 sssd]# grep -i GSSAPI * | grep -i KDC sssd_testrelm.com.log:(Mon Jan 6 20:49:21 2014) [sssd[be[testrelm.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)] So, how can I confirm that the netbios name was truncated as expected? Alexander or Tomas, please advise. Scott, I think the easiest way is to capture the network packets and look at the CLDAP response with wireshark. Yes, I think using network capture is best here. Ok, I did a tcpdump capture during getent and ssh to see if I could get that. I will attach that but, I don't see the hostname truncated anywhere in that capture. I do see this though (from the ssh I think): 290 2014-01-07 09:04:15.802193 192.168.122.77 -> 192.168.122.21 SMB NT Create AndX Request, Path: \netlogon 291 2014-01-07 09:04:15.802963 192.168.122.21 -> 192.168.122.77 SMB NT Create AndX Response, FID: 0x4002 292 2014-01-07 09:04:15.803004 192.168.122.77 -> 192.168.122.21 TCP 44517 > microsoft-ds [ACK] Seq=1539 Ack=1794 Win=21120 Len=0 TSV=48528686 TSER=8484834 293 2014-01-07 09:04:15.804044 192.168.122.77 -> 192.168.122.21 DCERPC Bind: call_id: 6 RPC_NETLOGON V1.0 294 2014-01-07 09:04:15.804693 192.168.122.21 -> 192.168.122.77 DCERPC Bind_ack: call_id: 6 accept max_xmit: 4280 max_recv: 4280 295 2014-01-07 09:04:15.814741 192.168.122.77 -> 192.168.122.21 RPC_NETLOGON NetrServerReqChallenge request, LONG-HOST-NAME12345678 296 2014-01-07 09:04:15.815388 192.168.122.21 -> 192.168.122.77 RPC_NETLOGON NetrServerReqChallenge response 297 2014-01-07 09:04:15.818605 192.168.122.77 -> 192.168.122.21 RPC_NETLOGON NetrServerAuthenticate2 request, TESTRELM$ 298 2014-01-07 09:04:15.820482 192.168.122.21 -> 192.168.122.77 RPC_NETLOGON NetrServerAuthenticate2 response, STATUS_BUFFER_OVERFLOW 299 2014-01-07 09:04:15.822215 192.168.122.77 -> 192.168.122.21 SMB Close Request, FID: 0x4002 300 2014-01-07 09:04:15.822963 192.168.122.21 -> 192.168.122.77 SMB Close Response, FID: 0x4002 Is the above just confirmation of the problem? Created attachment 846738 [details]
tcpdump capture during getent/ssh for AD2\Administrator
Ok, I checked a couple times and got the same results. I'm moving this back to ASSIGNED so it can go through proper updates to get the fixed version.
FYI:
[root@rhel7-8 ~]# ipa trust-add ad2.example.test --admin Administrator --range-type=ipa-ad-trust --password
Active directory domain administrator's password:
---------------------------------------------------------
Added Active Directory trust for realm "ad2.example.test"
---------------------------------------------------------
Realm name: ad2.example.test
Domain NetBIOS name: AD2
Domain Security Identifier: S-1-5-21-1515602834-2930230041-3336973146
SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
[root@rhel7-8 ~]# getent passwd 'AD2\Administrator'
[root@rhel7-8 ~]# grep GSS.*KDC /var/log/messages
Jan 12 17:46:22 rhel7-8 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)
[root@rhel7-8 ~]# date
Sun Jan 12 17:46:31 CST 2014
[root@rhel7-8 ~]# rpm -q ipa-server
ipa-server-3.3.3-11.el7.x86_64
I'll look at it. I already have a fix for this which was successfully tested by Scott. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/487a8f4749bfff9206564abe43e73c0a8362d05b ipa-3-3: https://fedorahosted.org/freeipa/changeset/0292b1726b7d73e60c1bca0612d67fecb0c2347d Verified.
Version ::
ipa-server-3.3.3-12.el7.x86_64
Test Results ::
Manually ran the following to setup env:
echo "192.168.122.77 long-host-name12345678.ipa4.example.test long-host-name12345678" >> /etc/hosts
echo "long-host-name12345678.ipa4.example.test" > /etc/hostname
service firewall stop
iptables -F
yum -y update
ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=$(hostname) \
-r IPA4.EXAMPLE.TEST -n ipa4.example.test -p Secret123 -P Secret123 -a Secret123 -U
ipa-adtrust-install --netbios-name=IPA4 -a Secret123 -U
# Add dns forwarder on AD server
ipa dnszone-add ad2.example.test --name-server=w2k8r2-1.ad2.example.test. \
--admin-email="hostmaster.test" --force --forwarder=192.168.122.21 \
--forward-policy=only --ip-address=192.168.122.21
ipa trust-add ad2.example.test --admin Administrator --range-type=ipa-ad-trust --password
Then manually ran automated test:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ LOG ] :: ipa_trust_func_bug_1030517: RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 characters
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 15:43:12 ] :: Hostname longer than 15 chars, checking for bug
administrator.test:*:551800500:551800500:Administrator:/:
:: [ PASS ] :: Running 'getent passwd 'AD2\Administrator'' (Expected 0, got 0)
:: [ PASS ] :: File '/var/log/messages' should not contain 'GSSAPI.*KDC.*reject'
:: [ PASS ] :: BZ1030517 not found
Sumit found out we do not set NetBIOS name to samba configuration. If IPA server would have a hostname longer than 15 characters, it would lead to invalid NetBIOS hostname: https://fedorahosted.org/freeipa/ticket/4116 Moving back to ASSIGNED. Wasn't that what ipa-3.3.3-12.el7 fixed? Or something else missed? Previous patches fixed the CLDAP responder. However, Sumit found that the actual IPA server Samba part may still have the NetBIOS name wrong so we decide to rather force the proper name to it's configuration. We decided to attach the fix to this Bugzilla. Sumit will know better what would the wrong samba NetBIOS hostname cause, if you want to know more. Scott, I think messages related to a too small buffer you were seeing in the network traces were caused by samba using a too long NetBIOS hostname. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/531ede2904608a2bfe24d09c94dc0b87d780f30a ipa-3-3: https://fedorahosted.org/freeipa/changeset/4679a3b8d3c093ea2ba3b32cafca9b42d47fce15 To verify the change manually, run: # net conf list | grep "netbios name" Note that the change does not apply on upgrade, but only after new installation (or ipa-adtrust-install) run. Ok, I'll re-verify with this info too once it's ON_QA. Thanks for the info. Should the netbios name here be stripping hyphens? [root@long-host-name12345678 ~]# net conf list | grep "netbios name" netbios name = LONGHOSTNAME123 [root@long-host-name12345678 ~]# hostname long-host-name12345678.ipa9.example.test I thought the cldap entry we saw during some debugging had the hyphens? Thanks Good catch, While the CLDAP plugin just cuts the name after 15 characters, ipa-adtrust-install tries to be smarter and checks the name for invalid characters as well. While doing this it is a bit too strict, it only allows upper-case letters and digits while a hyphen and a full-stop are allowed, but not as first or last character. While there are different ways to solve the disconnect I think the safest would be to let the CLDAP plugin use the same scheme as ipa-adtrust-install to create a valid NetBIOS name. Alexander, do you agree? I agree. (I had the same comment pending in a separate browser tab for couple hours) ;) Ok, so, if the CLDAP plugin is changed, is there a way to see the name it's using other than a network trace? Alexander or Sumit, is the fix required to land in RHEL-7.0? If yes, please reopen https://fedorahosted.org/freeipa/ticket/4116 If not, please file a new enhancement ticket. Reopened https://fedorahosted.org/freeipa/ticket/4116 and assigned to me. (In reply to Scott Poore from comment #30) > Ok, so, if the CLDAP plugin is changed, is there a way to see the name it's > using other than a network trace? You can run ldapsearch to get the binary CLDAP response # ldapsearch -H cldap://ipa18-devel.ipa18.devel -b '' -s base '(&(DnsDomain=ipa18.devel)(NtVer=\06\00\00\00)(AAC=\00\00\00\00))' netlogon -LLL -t dn: netlogon:< file:///tmp/ldapsearch-netlogon-oSP7u0 I didn't found a tool which can decode the binary data properly, but looking at the hexdump will show the name: ]# od -c /tmp/ldapsearch-netlogon-oSP7u0 0000000 027 \0 \0 \0 375 003 \0 \0 M 351 \r 374 S 003 : J 0000020 207 301 037 [ 030 373 ~ B 005 i p a 1 8 005 d 0000040 e v e l \0 300 030 \v i p a 1 8 - d e 0000060 v e l 300 030 005 I P A 1 8 \0 \n I P A 0000100 1 8 D E V E L \0 \0 027 D e f a u l 0000120 t - F i r s t - S i t e - N a m 0000140 e \0 300 I 020 002 \0 \0 \0 177 \0 \0 001 \0 \0 \0 0000160 \0 \0 \0 \0 \0 \0 005 \0 \0 \0 377 377 377 377 0000176 The string before 'Default-First-Site-Name' is the NetBIOS name. HTH Very cool. If that binary file is predictable, I think I might be able to do it like this:
[root@long-host-name12345678 ~]# NBNAME=$(hexdump -C /tmp/ldapsearch-netlogon-xAmsNj |cut -f2 -d'|'|tr -d '\n'|sed -e 's/\.*Default-First-Site-Name.*$//' -e 's/^.*\.\.//')
[root@long-host-name12345678 ~]# echo $NBNAME
LONG-HOST-NAME1
That may be enough for my tests as long as I can rely on that delimiter between Netbios Realm(?) and Host names.
[root@long-host-name12345678 ~]# CLDAP_NAME=$(hexdump -C /tmp/ldapsearch-netlogon-xAmsNj |cut -f2 -d'|'|tr -d '\n'|sed -e 's/\.*Default-First-Site-Name.*$//' -e 's/^.*\.\.//')
[root@long-host-name12345678 ~]# NET_CONF_NAME=$(net conf list|grep -i "netbios name"|awk '{print $4}')
[root@long-host-name12345678 ~]# if [ "$CLDAP_NAME" = "$NET_CONF_NAME" ]; then echo same; else echo different; fi
different
[root@long-host-name12345678 ~]# echo "$CLDAP_NAME : $NET_CONF_NAME"
LONG-HOST-NAME1 : LONGHOSTNAME123
So I should be able to get something usable for a test. Just need to get the new fix.
Fix pushed upstream: master: 2bb2aa8c484285648e6f422a00006f0f00a352ef CLDAP: add unit tests for make_netbios_name 311b2b1acf00cab510eaa62306f5d61d2f9bf95f CLDAP: generate NetBIOS name like ipa-adtrust-install does ipa-3-3: 17d6f27da33b99fb312d5bfdcf0a014caf093a1d CLDAP: add unit tests for make_netbios_name c57ff0a9aae8e51de1de8671dc6c8d91a1f1af66 CLDAP: generate NetBIOS name like ipa-adtrust-install does Verified. Version :: ipa-server-3.3.3-15.el7.x86_64 Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trust_func_bug_1030517: RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 characters :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 13:01:47 ] :: Hostname longer than 15 chars, checking for bug :: [ PASS ] :: CLDAP NetBIOS NAME (LONGHOSTNAME123) matches net conf NetBIOS Name (LONGHOSTNAME123) administrator.test:*:551800500:551800500:Administrator:/home/ad2.example.test/administrator: :: [ PASS ] :: Running 'getent passwd 'AD2\Administrator'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/messages' should not contain 'GSSAPI.*KDC.*reject' :: [ PASS ] :: BZ1030517 not found This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |