Bug 1449133
Summary: | Update samba config file and use sss idmap module | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Sudhir Menon <sumenon> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | abokovoy, amore, cheimes, frenaud, ksiddiqu, nate, ofalk, pasik, pvoborni, rcritten, tscherf, twoerner |
Target Milestone: | rc | ||
Target Release: | 8.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.8.0-1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-05 20:52:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sudhir Menon
2017-05-09 09:31:14 UTC
Upstream ticket: https://pagure.io/freeipa/issue/6951 Another change to do is to add explicitly max smbd processes = 1000 to mitigate against SMBLoris attack. Right now we have max smbd processes = 0 as a default in Samba. Sudhir, Is this from adtrust automated regression test suite? if yes, please share the test case location from ipa-tests repo. It will help to verify the the bugzilla *** Bug 1699787 has been marked as a duplicate of this bug. *** Fixed upstream master: https://pagure.io/freeipa/c/4ba888694bc31972740d52322a6b11006adaddc1 https://pagure.io/freeipa/c/b2c5691e73b7f6f38abed727a23b904290fc64cc Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/fad7cad4d2a478c2519e78f8208ed464d336d620 https://pagure.io/freeipa/c/b530dad445237bed83b9d5e317fddb7841825f24 Verified Using Version : ipa-server-4.8.0-8.module+el8.1.0+3977+ec23ef34.x86_64 Console log : [root@ipaqavmd ~]# ipa-adtrust-install -a Secret123 --add-sids -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration. Trust is configured but no NetBIOS domain name found, setting it now. Configuring CIFS [1/25]: validate server hostname [2/25]: stopping smbd [3/25]: creating samba domain object [4/25]: retrieve local idmap range [5/25]: creating samba config registry [6/25]: writing samba config file [7/25]: adding cifs Kerberos principal [8/25]: adding cifs and host Kerberos principals to the adtrust agents group [9/25]: check for cifs services defined on other replicas [10/25]: adding cifs principal to S4U2Proxy targets [11/25]: adding admin(group) SIDs [12/25]: adding RID bases [13/25]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [14/25]: activating CLDAP plugin [15/25]: activating sidgen task [16/25]: map BUILTIN\Guests to nobody group [17/25]: configuring smbd to start on boot [18/25]: adding special DNS service records [19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [20/25]: adding fallback group [21/25]: adding Default Trust View [22/25]: setting SELinux booleans [23/25]: starting CIFS services [24/25]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. [25/25]: restarting smbd Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= [root@ipaqavmd ~]# testparm lp_load_ex: changing to config backend registry Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] create krb5 conf = No dedicated keytab file = /etc/samba/samba.keytab disable spoolss = Yes domain logons = Yes domain master = Yes kerberos method = dedicated keytab ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap ssl = no ldap suffix = dc=testrelm,dc=test ldap user suffix = cn=users,cn=accounts log file = /var/log/samba/log.%m max log size = 100000 max smbd processes = 1000 passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket realm = TESTRELM.TEST registry shares = Yes security = USER workgroup = TESTRELM idmap config testrelm : range = 346000000 - 346200000 idmap config testrelm : backend = sss idmap config * : range = 0 - 0 rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb In testparm output per description there is no error like : idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Based on this marking bz as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3348 Test case upstream master: https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e The commit adds a test in ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall |