Bug 1250135
| Summary: | Detect re-established trusts in the IPA subdomain code | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mvarun, mzidek, nsoman, ovasik, pbrezina, preichl |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.13.0-35.el7 | Doc Type: | Enhancement |
| Doc Text: |
Feature: Detect re-established trusts in the IPA subdomain code and re-fetching the keytab
Reason: Fetching the keytabs only when sssd service is restarted constitutes bad user experience
Result: Auto-detect the error from the LDAP provider and re-fetch the keytab automatically
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 11:39:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jakub Hrozek
2015-08-04 15:04:16 UTC
Cloned from upstream ticket per Steeve's request since this issue is getting annoying for QE. First patches are on the list under review already. Exception rationale: While we have code in SSSD that fetches the keytabs when sssd service is restarted, this constitutes bad user experience. We should auto-detect the error from the LDAP provider and re-fetch the keytab automatically. First batch of fixes landed upstream:
* 20162352030d1c577bb69d44e967d2c5839e5c0e
* ece345a74cec793e6d970a4955beb3d4a05935b3
* 64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1c
* dd0a21738e1b71940bba11134734b5999e9fd8e9
* 7fc8692d49cdaa0368072f196433c07b475da679
* 0561d532cf76b035b73cfed929a6896071dac407
* 99c5f2f6ba0af6ce52be0d82ec2794bacc215742
* b5825c74b6bf7a99ae2172392dbecb51179013a6
The rest of the patchset is on review now. FWIW, the last patchset related to this bug was: * 4c53f8b7400630ae06459aa8b5079427edcaa348 * 669ce24f8157b7d79914b3eb5a18214ef42aacc8 * bc58e1cfee742178f95922d964349d6c262f6df7 * 42bd89dbe77846b6ee60365bba50da521745bca1 Could you please add steps to verify this bug? (In reply to Varun Mylaraiah from comment #8) > Could you please add steps to verify this bug? We want to make sure that when trust is broken and re-established (trust-del; trust-add) then resolving AD users still work, even for those that were not cached and SSSD re-fetches the correct keytab and the keytab can be used. You can see the test I ran in the sssd-devel mail: https://lists.fedorahosted.org/pipermail/sssd-devel/2015-September/024905.html Verified
sssd-1.13.0-36.el7.x86_64
ipa-server-4.2.0-12.el7.x86_64
[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
Realm name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
S-1-1, S-1-0, S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
S-1-1, S-1-0, S-1-5-19, S-1-5-18
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified
[root@master2 ~]# getent passwd aduser99
aduser99:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:
[root@master2 ~]# ipa trust-del adtest.qe
-------------------------
Deleted trust "adtest.qe"
-------------------------
[root@master2 ~]# echo Secret123|ipa trust-add --type=ad adtest.qe --admin Administrator --password --two-way=True
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
Realm name: adtest.qe
Domain NetBIOS name: ADTEST
Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
S-1-1, S-1-0, S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
S-1-1, S-1-0, S-1-5-19, S-1-5-18
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
[root@master2 ~]# getent passwd aduser99
aduser99:*:1148407324:1148407324:aduser99 user:/home/adtest.qe/aduser99:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |