Bug 1259020

Sorry the command is 

 ipa-server-install

Here is the rest of the ipa software
# rpm -qa |grep  'ipa-'
ipa-server-trust-ad-4.1.0-18.el7_1.3.x86_64
ipa-python-4.1.0-18.el7_1.3.x86_64
redhat-access-plugin-ipa-0.9.1-2.el7.noarch
ipa-server-4.1.0-18.el7_1.3.x86_64
ipa-admintools-4.1.0-18.el7_1.3.x86_64
sssd-ipa-1.12.2-58.el7.x86_64
ipa-client-4.1.0-18.el7_1.3.x86_64

Does not look like an issue in the Directory Server.  Changing the component to IPA...

Currently, we allow only uppercase characters and digits. Sumit, is there a technical reason not to support the full set as per https://support.microsoft.com/en-us/kb/188997 ?

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5286

No, there is no reason, I guess I didn't found this document when I was searching for a list of valid characters and used a too strict set. Please note that some of the special characters might not be allowed as first or last characters of a NetBIOS name.

The document is for Windows NT, not Active Directory. I have not found a newer reference and I'm intending to ask Microsoft documentation team for a clarification.

Then take this https://support.microsoft.com/en-us/kb/909264

BTW, this makes additional problems see Bug 1305533.
And if I check my configuration of the IdM server:

# hostname -s
dedcs1-idm02
# net registry enumerate_recursive 'HKLM\Software\Samba\smbconf'| sed -n '/netbios/,/Value/p'
Valuename  = netbios name
Type       = REG_SZ
Value      = "DEDCS1IDM02"

The dash is removed, why?

At least a dash must be allowed and this can be solved very simple:

--- /usr/lib/python2.7/site-packages/ipaserver/install/adtrustinstance.py.orig  2015-07-09 10:57:36.000000000 +0200
+++ /usr/lib/python2.7/site-packages/ipaserver/install/adtrustinstance.py       2016-02-09 12:56:30.394308457 +0100
@@ -44,7 +44,7 @@
 from ipaplatform.tasks import tasks


-ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
+ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'

 UPGRADE_ERROR = """
 Entry %(dn)s does not exist.

Fixed upstream:

ipa-4-2: 657838462c4b0ce5be2cee584b3be112aca6c660
ipa-4-3: 1496fb779d72fb590376df23e39206938fe8dad2
master: b41fbceeafea126f8e014da5d3596138c6cf0feb

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Fix is seen. Verified on RHEL73 using
ipa-server-trust-ad-4.4.0-11.el7.x86_64
ipa-server-4.4.0-11.el7.x86_64

Note:
ipa-adtrust-install allows - in the NetBIOS name.
. is not allowed e.g TEST-RELM.TEST

[root@master db]# ipa-adtrust-install --netbios-name=TEST-RELM         
 
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
 
This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server
 
To accept the default shown in brackets, press the Enter key.
 
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
 
Enable trusted domains support in slapi-nis? [no]:
 
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
 
admin password:
WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
  [1/21]: stopping smbd
  [2/21]: creating samba domain object
  [3/21]: creating samba config registry
  [4/21]: writing samba config file
  [5/21]: adding cifs Kerberos principal
  [6/21]: adding cifs and host Kerberos principals to the adtrust agents group
  [7/21]: check for cifs services defined on other replicas
  [8/21]: adding cifs principal to S4U2Proxy targets
  [9/21]: adding admin(group) SIDs
  [10/21]: adding RID bases
  [11/21]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [12/21]: activating CLDAP plugin
  [13/21]: activating sidgen task
  [14/21]: configuring smbd to start on boot
  [15/21]: adding special DNS service records
  [16/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [17/21]: adding fallback group
  [18/21]: adding Default Trust View
  [19/21]: setting SELinux booleans
  [20/21]: starting CIFS services
  [21/21]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html