Bug 1112698
| Summary: | Broken dereference control with the FreeIPA 4.0 ACIs | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Kosek <mkosek> | |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> | |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.6 | CC: | pviktori, rcritten, spoore | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-3.0.0-42.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1112702 (view as bug list) | Environment: | ||
| Last Closed: | 2014-10-14 07:32:59 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1112702, 1112824 | |||
|
Description
Martin Kosek
2014-06-24 13:55:37 UTC
Within this bug, we will just set the proper Requires on 389-ds-base fixed in Bug 1112702. That said, SanityOnly test is sufficient. Spec file fixed upstream master: https://fedorahosted.org/freeipa/changeset/5434851efd394c27ab6445a4b7544767452e20a5 Verified.
Version ::
ipa-server-3.0.0-42.el6.x86_64
Results ::
[root@rhel6-1 ~]# rpm -q --requires ipa-server|grep 389
389-ds-base >= 1.2.11.15-38
[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$MASTER \
> -r $REALM -n $DOMAIN -p Secret123 -P Secret123 -a Secret123 -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Warning: skipping DNS resolution of host master.ipa1.example.test
Using reverse zone 122.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: master.ipa1.example.test
IP address: 192.168.122.61
Domain name: ipa1.example.test
Realm name: IPA1.EXAMPLE.TEST
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.122.1
Reverse zone: 122.168.192.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/21]: creating certificate server user
[2/21]: creating pki-ca instance
[3/21]: configuring certificate server instance
[4/21]: disabling nonces
[5/21]: creating CA agent PKCS#12 file in /root
[6/21]: creating RA agent certificate database
[7/21]: importing CA chain to RA certificate database
[8/21]: fixing RA database permissions
[9/21]: setting up signing cert profile
[10/21]: set up CRL publishing
[11/21]: set certificate subject base
[12/21]: enabling Subject Key Identifier
[13/21]: setting audit signing renewal to 2 years
[14/21]: configuring certificate server to start on boot
[15/21]: restarting certificate server
[16/21]: requesting RA certificate from CA
[17/21]: issuing RA agent certificate
[18/21]: adding RA agent as a trusted user
[19/21]: configure certificate renewals
[20/21]: configure Server-Cert certificate renewal
[21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/38]: creating directory server user
[2/38]: creating directory server instance
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configuring replication version plugin
[7/38]: enabling IPA enrollment plugin
[8/38]: enabling ldapi
[9/38]: disabling betxn plugins
[10/38]: configuring uniqueness plugin
[11/38]: configuring uuid plugin
[12/38]: configuring modrdn plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: creating indices
[16/38]: enabling referential integrity plugin
[17/38]: configuring ssl for ds instance
[18/38]: configuring certmap.conf
[19/38]: configure autobind for root
[20/38]: configure new location for managed entries
[21/38]: restarting directory server
[22/38]: adding default layout
[23/38]: adding delegation layout
[24/38]: adding replication acis
[25/38]: creating container for managed entries
[26/38]: configuring user private groups
[27/38]: configuring netgroups from hostgroups
[28/38]: creating default Sudo bind user
[29/38]: creating default Auto Member layout
[30/38]: adding range check plugin
[31/38]: creating default HBAC rule allow_all
[32/38]: Upload CA cert to the directory
[33/38]: initializing group membership
[34/38]: adding master entry
[35/38]: configuring Posix uid/gid generation
[36/38]: enabling compatibility plugin
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
[1/10]: adding sasl mappings to the directory
[2/10]: adding kerberos container to the directory
[3/10]: configuring KDC
[4/10]: initialize kerberos container
[5/10]: adding default ACIs
[6/10]: creating a keytab for the directory
[7/10]: creating a keytab for the machine
[8/10]: adding the password extension to the directory
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
[1/13]: setting mod_nss port to 443
[2/13]: setting mod_nss password file
[3/13]: enabling mod_nss renegotiate
[4/13]: adding URL rewriting rules
[5/13]: configuring httpd
[6/13]: setting up ssl
[7/13]: setting up browser autoconfig
[8/13]: publish CA cert
[9/13]: creating a keytab for httpd
[10/13]: clean up any existing httpd ccache
[11/13]: configuring SELinux for httpd
[12/13]: restarting httpd
[13/13]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/9]: adding DNS container
[2/9]: setting up our zone
[3/9]: setting up reverse zone
[4/9]: setting up our own record
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
[7/9]: restarting named
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
[root@rhel6-1 ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@rhel6-1 ~]# kinit admin
Password for admin.TEST:
[root@rhel6-1 ~]# ldapsearch -Y GSSAPI -h $(hostname) -b "fqdn=$(hostname),cn=computers,cn=accounts,dc=ipa1,dc=example,dc=test" -E 'deref=managedBy:objectClass'
SASL/GSSAPI authentication started
SASL username: admin.TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <fqdn=master.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=example,dc=test> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with dereference control
#
# master.ipa1.example.test, computers, accounts, ipa1.example.test
dn: fqdn=master.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=example,
dc=test
control: 1.3.6.1.4.1.4203.666.5.16 false MIQAAAEOMIQAAAEIBAltYW5hZ2VkQnkEUWZxZ
G49bWFzdGVyLmlwYTEuZXhhbXBsZS50ZXN0LGNuPWNvbXB1dGVycyxjbj1hY2NvdW50cyxkYz1pcG
ExLGRjPWV4YW1wbGUsZGM9dGVzdKCEAAAApDCEAAAAngQLb2JqZWN0Q2xhc3MxhAAAAIsEA3RvcAQ
JaXBhb2JqZWN0BAZuc2hvc3QEB2lwYWhvc3QECmlwYXNlcnZpY2UEB3BraXVzZXIED2tyYnByaW5j
aXBhbGF1eAQMa3JicHJpbmNpcGFsBBJrcmJ0aWNrZXRwb2xpY3lhdXgECmlwYXNzaGhvc3QEFGlwY
VNzaEdyb3VwT2ZQdWJLZXlz
# managedBy: <objectClass=top>;<objectClass=ipaobject>;<objectClass=nshost>;<
objectClass=ipahost>;<objectClass=ipaservice>;<objectClass=pkiuser>;<objectC
lass=krbprincipalaux>;<objectClass=krbprincipal>;<objectClass=krbticketpolic
yaux>;<objectClass=ipasshhost>;<objectClass=ipaSshGroupOfPubKeys>;fqdn=maste
r.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=example,dc=test
cn: master.ipa1.example.test
objectClass: top
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: ipaservice
objectClass: pkiuser
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: krbticketpolicyaux
objectClass: ipasshhost
objectClass: ipaSshGroupOfPubKeys
krbLastPwdChange: 20140721173410Z
fqdn: master.ipa1.example.test
managedBy: fqdn=master.ipa1.example.test,cn=computers,cn=accounts,dc=ipa1,dc=e
xample,dc=test
krbExtraData:: AAIST81Tcm9vdC9hZG1pbkBJUEExLkVYQU1QTEUuVEVTVAA=
krbPrincipalName: host/master.ipa1.example.test.TEST
serverHostName: master
ipaUniqueID: 39ad08b8-10fd-11e4-a866-0000c0a87a3d
krbLastSuccessfulAuth: 20140721180720Z
ipaSshPubKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5tB3d/zF8RXKetLMaFUIuKWBeHEY
7U0ZZpQIjszl9V9DF+m+1EnRArk1hgMdZrfYjjZmj1zab0MxBaVdMvXUIInzNkPHIxSyzsrnwz9i8
S2Tz0zLsvR31byqFqgqKCe454P/Qcq89XwzGJHFQdu7RT6iO34HqSnQK6TCzgQgSmn1oQL60hjYwQ
CQos7vA61CnB03C+3L/nQRcJ7QRutIy2rtS6SKBGPUlNZdgc6pUanWmF+sRIItNhQDDOGwX3FR9In
U/7abJVTCTQv8dR8IDiSke+YjdggkLHXnTYYlovneSa44l6+lekmJpYr9XaQ/kcPswv0dlvVIKWiV
nCGUWw==
ipaSshPubKey: ssh-dss AAAAB3NzaC1kc3MAAACBAP4jMl3UrmanG5WVQJP068daa9rDRSdtOAzE
cltYEuEaxP4D5gm1k+ANsaMmxR7tNNloFUKiYRMYmjStFyyGMOQ1p5BLUgtKJeD/tNBDqtQ3nvn0r
Awl2sxnuNY3ly6pvgBHj5diq7ifQvoFz6ytAkXyJmAggUnOu4J+nka4/4hJAAAAFQCaS3KCpEuzU6
RoqdoJFpZy5/Q95QAAAIEAv0n2quWl8tjAwF4HKOvOTtrszHPURTM+Adx2y/2KGGKmGOrA/h/I+HF
EUDvMilQKXn6NfxRTg6Ce1b8AlS2eGC67oY4nRc9ddv9yYIZVFv9c5v5eTfSdCynTQZOrPlYuRe4a
bSVOyBgk54peOTzkAoiGC1cl9LVQsJdTrh+7c+YAAACBAIsACHSOInsmz2o2faiOKBzW/IxQhmk74
ZkAdFsKR17dyW1WEj3FzMm8wd+DD5ZMIKebpu74gyqVXr+9ajK98CdIX9b89ZCtdVX05z0R5sOo4+
FCtX0r6dDfaVyxu3Rz2HP61GPngwDAHK/Vfa6ym4YuLWn3TKv4LlBcq0xXkW2q
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1383.html |