Bug 1449133
| Summary: | Update samba config file and use sss idmap module | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sudhir Menon <sumenon> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | abokovoy, amore, cheimes, frenaud, ksiddiqu, nate, ofalk, pasik, pvoborni, rcritten, tscherf, twoerner |
| Target Milestone: | rc | ||
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.8.0-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 20:52:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream ticket: https://pagure.io/freeipa/issue/6951 Another change to do is to add explicitly max smbd processes = 1000 to mitigate against SMBLoris attack. Right now we have max smbd processes = 0 as a default in Samba. Sudhir, Is this from adtrust automated regression test suite? if yes, please share the test case location from ipa-tests repo. It will help to verify the the bugzilla *** Bug 1699787 has been marked as a duplicate of this bug. *** Fixed upstream master: https://pagure.io/freeipa/c/4ba888694bc31972740d52322a6b11006adaddc1 https://pagure.io/freeipa/c/b2c5691e73b7f6f38abed727a23b904290fc64cc Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/fad7cad4d2a478c2519e78f8208ed464d336d620 https://pagure.io/freeipa/c/b530dad445237bed83b9d5e317fddb7841825f24 Verified Using Version :
ipa-server-4.8.0-8.module+el8.1.0+3977+ec23ef34.x86_64
Console log :
[root@ipaqavmd ~]# ipa-adtrust-install -a Secret123 --add-sids -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Trust is configured but no NetBIOS domain name found, setting it now.
Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
[4/25]: retrieve local idmap range
[5/25]: creating samba config registry
[6/25]: writing samba config file
[7/25]: adding cifs Kerberos principal
[8/25]: adding cifs and host Kerberos principals to the adtrust agents group
[9/25]: check for cifs services defined on other replicas
[10/25]: adding cifs principal to S4U2Proxy targets
[11/25]: adding admin(group) SIDs
[12/25]: adding RID bases
[13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/25]: activating CLDAP plugin
[15/25]: activating sidgen task
[16/25]: map BUILTIN\Guests to nobody group
[17/25]: configuring smbd to start on boot
[18/25]: adding special DNS service records
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/25]: adding fallback group
[21/25]: adding Default Trust View
[22/25]: setting SELinux booleans
[23/25]: starting CIFS services
[24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
[25/25]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
[root@ipaqavmd ~]# testparm
lp_load_ex: changing to config backend registry
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=testrelm,dc=test
ldap user suffix = cn=users,cn=accounts
log file = /var/log/samba/log.%m
max log size = 100000
max smbd processes = 1000
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket
realm = TESTRELM.TEST
registry shares = Yes
security = USER
workgroup = TESTRELM
idmap config testrelm : range = 346000000 - 346200000
idmap config testrelm : backend = sss
idmap config * : range = 0 - 0
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
In testparm output per description there is no error like :
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Based on this marking bz as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3348 Test case upstream master: https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e The commit adds a test in ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall |
Description of problem: Update samba config file and use sss idmap module Version-Release number of selected component (if applicable): samba-4.6.2-1.el7.x86_64 samba-python-4.6.2-1.el7.x86_64 samba-common-4.6.2-1.el7.noarch samba-client-4.6.2-1.el7.x86_64 ipa-server-4.5.0-9.el7.x86_64 ipa-server-trust-ad-4.5.0-9.el7.x86_64 samba-winbind-modules-4.6.2-1.el7.x86_64 samba-winbind-4.6.2-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA Server. 2. ipa-adtrust-install -a Secret123 --add-sids -U 3. Run testparm Actual results: [root@master ~]# ipa-adtrust-install -a Secret123 --add-sids -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring CIFS [1/23]: validate server hostname [2/23]: stopping smbd [3/23]: creating samba domain object [4/23]: creating samba config registry [5/23]: writing samba config file [6/23]: adding cifs Kerberos principal [7/23]: adding cifs and host Kerberos principals to the adtrust agents group [8/23]: check for cifs services defined on other replicas [9/23]: adding cifs principal to S4U2Proxy targets [10/23]: adding admin(group) SIDs [11/23]: adding RID bases [12/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [13/23]: activating CLDAP plugin [14/23]: activating sidgen task [15/23]: configuring smbd to start on boot [16/23]: adding special DNS service records [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group [19/23]: adding Default Trust View [20/23]: setting SELinux booleans [21/23]: starting CIFS services [22/23]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. [23/23]: restarting smbd Done configuring CIFS. ======================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= [root@master ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) lp_load_ex: changing to config backend registry rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] realm = TESTRELM.TEST workgroup = TESTRELM domain master = Yes ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap ssl = no ldap suffix = dc=testrelm,dc=test ldap user suffix = cn=users,cn=accounts log file = /var/log/samba/log.%m max log size = 100000 domain logons = Yes registry shares = Yes disable spoolss = Yes dedicated keytab file = /etc/samba/samba.keytab kerberos method = dedicated keytab passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket security = USER create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb Expected results: Fix the below messages displayed in testparm command. idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Additional info: