Bug 1156595

Summary: Upgrade to IPA 6.6 prevents RHEV domain authentication
Product: Red Hat Enterprise Linux 6 Reporter: James W. Mills <jamills>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6CC: pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-29 15:05:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ldapsearch -H ldap:// -Y GSSAPI -LLL -b 'cn=config' -s base
none
ldapsearch -H ldap:// -Y GSSAPI -LLL -b 'cn=config' -s base none

Description James W. Mills 2014-10-24 17:43:17 UTC 
Created attachment 950467 [details]
ldapsearch -H ldap:// -Y GSSAPI -LLL -b 'cn=config' -s base

Description of problem:

After upgrading to IPA 6.6 from IPA 6.4, domain auth from RHEV no linger worked


Version-Release number of selected component (if applicable):

#  rpm -qa ipa-{server,client} 389-ds-*
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-libs-1.2.11.15-47.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64
ipa-client-3.0.0-42.el6.x86_64

How reproducible:

100%


Steps to Reproduce:
1. Install IPA on RHEL 6.4/6.5
2. Add domain from RHEV with engine-manage-domains
3. Upgrade IPA to 6.6
4. Attempt to re-add domain from rhev or authenticate without deleting/readding domain

Actual results:

In RHEV 3.1-3.3
Users cannot auth against existing domain
Failure to re-add domain

In RHEV 3.4:
Users can auth against existing domain
Failure to re-add domain

Expected results:

As the SASL SSF, the nsslapd-minssf, and the nsslapd-minssf-exclude-dse values did not change between IPA on 6.4 and IPA on 6.6, the expectation is that authentication using LDAP+GSSAPI would work as it did before.


Additional info:

This is the third bug to address environments where IPA is used to authenticate users from two other RH products, RHEV and RHOS5.  After the upgrade to IPA 6.6, RHEV authentication fails until minssf is raised to 1.  At this point, RHOS5 keystone is no longer able to authenticate, leading to a scenario where we are unable to use a single LDAP installation for authentication of both products.

RHEV Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1156577
RHOS Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1156585

I am including the results of:

# ldapsearch -H ldap:// -Y GSSAPI -LLL -b 'cn=config' -s base 

for 6.6, and will attach 6.4 shortly.
Comment 1 James W. Mills 2014-10-24 17:43:47 UTC 
Created attachment 950468 [details]
ldapsearch -H ldap:// -Y GSSAPI -LLL -b 'cn=config' -s base
Comment 3 Petr Vobornik 2014-10-29 15:05:00 UTC 
I don't see an issue in IPA nor directory server. Closing as NOTABUG since the RHOS part is a configuration issue (bug 1156585) and RHEV is being worked on in bug 1156577.

Please reopen if you think that's not the case.