Bug 1461053
Summary: | allow to modify list of UPNs of a trusted forest | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | enewland, mbabinsk, nsoman, pvoborni, pvomacka, rcritten, spoore, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-17.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:51:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2017-06-13 12:36:09 UTC
Upstream ticket: https://pagure.io/freeipa/issue/7015 Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/9a31b21bff7c83219a4973adf815c900628ab620 master: https://pagure.io/freeipa/c/abb638487580af99882b4751b64939d0aff0d38b Fixed upstream master: https://pagure.io/freeipa/c/b25412f9889f3523974e7aeb43920d4e2347fcfa ipa-4-5: https://pagure.io/freeipa/c/e22b61832bb5b52eb9daadcbc12ca41e0923503c Verified.
Version ::
ipa-server-4.5.0-17.el7.x86_64
Results ::
A Simple functional test where this is needed:
# Setup is that we have AD Trust and one AD User with a userPrincipalName attribute set to something different than the domain.
[root@auto-hv-02-guest08 ~]# ldapsearch -o ldif-wrap=no -xLLL \
> -D "$AD_ADMIN" -w Secret123 \
> -h idm-qe-ipa-win7.ipaadcs12r2.test \
> -b "cn=temp user1,cn=Users,$AD_BASEDN" \
> "(objectClass=*)" userPrincipalName
dn: CN=temp user1,CN=Users,DC=ipaadcs12r2,DC=test
userPrincipalName: 1234@mytest
# First show failure to login as either user before the UPN is added to the trust in IPA:
[root@auto-hv-02-guest08 ~]# ssh -l 1234@mytest $(hostname)
Password:
Password:
Password:
Received disconnect from UNKNOWN port 65535:2: Too many authentication failures
Authentication failed.
[root@auto-hv-02-guest08 ~]# ssh -l tempuser1 $(hostname)
Password:
Password:
Password:
Received disconnect from UNKNOWN port 65535:2: Too many authentication failures
Authentication failed.
# Now add the UPN:
[root@auto-hv-02-guest08 ~]# ipa trust-mod ipaadcs12r2.test --upn='MYTEST'
--------------------------------------------------------------------------
Modified trust "ipaadcs12r2.test" (change will be effective in 60 seconds)
--------------------------------------------------------------------------
Realm name: ipaadcs12r2.test
Domain NetBIOS name: IPAADCS12R2
Domain Security Identifier: S-1-5-21-2104345585-122664420-2375807449
UPN suffixes: MYTEST
[root@auto-hv-02-guest08 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
[root@auto-hv-02-guest08 ~]# ssh -l tempuser1 $(hostname)
Password:
Last failed login: Mon Jun 19 18:51:15 EDT 2017 from IPSCRUBBED on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Mon Jun 19 18:50:14 2017 from IPSCRUBBED
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is part of the Red Hat Test System.
Please do not use this system for individual unit testing.
RHTS Test information:
HOSTNAME=auto-hv-02-guest08.fqdn.scrubbed
JOBID=1884800
RECIPEID=3902568
LAB_SERVER=
RESULT_SERVER=[::1]:7080
DISTRO=RHEL-7.4
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
-sh-4.2$ exit
logout
Connection to auto-hv-02-guest08.testrelm.test closed.
[root@auto-hv-02-guest08 ~]# ssh -l 1234@mytest $(hostname)
Password:
Last login: Mon Jun 19 18:52:38 2017 from IPSCRUBBED
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
This System is part of the Red Hat Test System.
Please do not use this system for individual unit testing.
RHTS Test information:
HOSTNAME=auto-hv-02-guest08.fqdn.scrubbed.
JOBID=1884800
RECIPEID=3902568
LAB_SERVER=
RESULT_SERVER=[::1]:7080
DISTRO=RHEL-7.4
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
-sh-4.2$ id
uid=1664401105(tempuser1) gid=1664401105(tempuser1) groups=1664401105(tempuser1),1664400513(domain users)
-sh-4.2$ whoami
tempuser1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |