Bug 1441316
Summary: | WebUI cert auth fails after ipa-adtrust-install | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | ksiddiqu, pvoborni, pvomacka, rcritten, spoore, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-6.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:48:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2017-04-11 16:22:57 UTC
Upstream ticket: https://pagure.io/freeipa/issue/6862 Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/b5114070ae55bcc7ec1abe57b4c303cee4822930 master: https://pagure.io/freeipa/c/e88d5e815ea440bcef4acdc5f8fcb3a29e6eaec9 Verified. Version :: ipa-server-4.5.0-11.el7.x86_64 gssproxy-0.7.0-3.el7.x86_64 Results :: # First confirm WebUI cert login without AD Trust: [root@dhcp129-184 ~]# ipa certmap-match /root/testing/demosc1_cert1.crt --------------- 2 users matched --------------- Domain: TESTRELM.TEST User logins: demosc1, demosc2 ---------------------------- Number of entries returned 1 ---------------------------- # WebUI login with demosc1 works with cert on card after entering pin [root@auto-hv-02-guest08 ~]# ipa-adtrust-install -a Secret123 --add-sids -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration. Configuring CIFS [1/23]: validate server hostname [2/23]: stopping smbd [3/23]: creating samba domain object [4/23]: creating samba config registry [5/23]: writing samba config file [6/23]: adding cifs Kerberos principal [7/23]: adding cifs and host Kerberos principals to the adtrust agents group [8/23]: check for cifs services defined on other replicas [9/23]: adding cifs principal to S4U2Proxy targets [10/23]: adding admin(group) SIDs [11/23]: adding RID bases [12/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [13/23]: activating CLDAP plugin [14/23]: activating sidgen task [15/23]: configuring smbd to start on boot [16/23]: adding special DNS service records [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group [19/23]: adding Default Trust View [20/23]: setting SELinux booleans [21/23]: starting CIFS services [22/23]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. [23/23]: restarting smbd Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= # Login to WebUI worked with demosc1 with pin [root@auto-hv-02-guest08 ~]# ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service Starting smb Service Starting winbind Service ipa: INFO: The ipactl command was successful # Login to WebUI worked with demosc1 with pin [root@auto-hv-02-guest08 ~]# ipa trust-add ipaadcs12r2.test --admin Administrator --password Active Directory domain administrator's password: --------------------------------------------------------- Added Active Directory trust for realm "ipaadcs12r2.test" --------------------------------------------------------- Realm name: ipaadcs12r2.test Domain NetBIOS name: IPAADCS12R2 Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified [root@auto-hv-02-guest08 ~]# vim /etc/sssd/sssd.conf ... subdomains_provider = ipa [sssd] services = sudo, nss, ifp, pam, ssh, pac ... [root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd # Showing that AD Trust is working: [root@auto-hv-02-guest08 ~]# id tempuser1 uid=1664401105(tempuser1) gid=1664401105(tempuser1) groups=1664401105(tempuser1),1664400513(domain users) # Login to WebUI worked with demosc1 with pin Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |