Bug 1778777
Summary: | After upgrade AD Trust Agents were removed from LDAP | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | aheverle | |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.7 | CC: | abokovoy, frenaud, ksiddiqu, mpolovka, ndehadra, pasik, rcritten, tborcin, tscherf | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.6.6-11.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1781153 (view as bug list) | Environment: | ||
Last Closed: | 2020-03-31 19:56:32 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1781153 |
Description
aheverle
2019-12-02 13:36:32 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/3977 Fixed upstream master: https://github.com/freeipa/freeipa/commit/2c9b212cf08e9f0e6814b2e7a0922079b3929634 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/bb4ec6fcb4547bc624cde93e16a9201dfa8d4426 ipa-4-7: https://pagure.io/freeipa/c/206e1f94efda11dd773860c9bbf9609d797688d4 ipa-4-8: https://pagure.io/freeipa/c/b21128c2d7575c6eba6a52fa4448a9a2c7b56913 IPA-server version: ipa-server-4.6.6-11.el7.x86_64 Verified the bug on the basis of following steps: 1. Setup IPA server at RHEL773 as MASTER / REPLICA (in my case: ) 2. Verify that the trust agent configured via ldap query on MASTER / REPLICA (In this case not setup, replica entry should be missing under member section of result) # ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test" 3. Configure trust, trust-agent on the MASTER via --add-agent option # ipa-adtrust-install --add-agents 4. Verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result) # ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test" 5. Run "ipa-server-upgrade" on MASTER / REPLICA 6. Again verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result) # ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test" 7. Run ipa upgrade on MASTER and then on REPLICA # yum -y update 8. Run "ipa-server-upgrade" on MASTER / REPLICA 9. Again verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result) # ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test" 10. Validate Trust-agent server role for replica on both Master/Replica using command # ipa server-role-find | grep trust -B1 -A1 Console: -------------- [root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN" dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac counts,dc=ipapnq,dc=test member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test objectClass: GroupOfNames objectClass: top objectClass: nestedgroup cn: adtrust agents memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap nq,dc=test [root@master ~]# rpm -q ipa-server ipa-server-4.6.5-11.el7_7.3.x86_64 [root@master ~]# [root@master ~]# ipa-adtrust-install --add-agents The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: WARNING: 1 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: validate server hostname [2/23]: stopping smbd [3/23]: creating samba domain object Samba domain object already exists [4/23]: creating samba config registry [5/23]: writing samba config file [6/23]: adding cifs Kerberos principal [7/23]: adding cifs and host Kerberos principals to the adtrust agents group [8/23]: check for cifs services defined on other replicas [9/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [10/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [11/23]: adding RID bases RID bases already set, nothing to do [12/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [13/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [14/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [15/23]: map BUILTIN\Guests to nobody group [16/23]: configuring smbd to start on boot [17/23]: adding special DNS service records [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [19/23]: adding fallback group Fallback group already set, nothing to do [20/23]: adding Default Trust View Default Trust View already exists. [21/23]: setting SELinux booleans [22/23]: starting CIFS services [23/23]: restarting smbd Done configuring CIFS. WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests. Installer can add them to the list of IPA masters allowed to access information about trusts. If you choose to do so, you also need to restart LDAP service on those masters. Refer to ipa-adtrust-install(1) man page for details. IPA master [replica1.ipapnq.test]? [no]: yes WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order to activate them to serve information about users from trusted forests: replica1.ipapnq.test ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= [root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN" dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac counts,dc=ipapnq,dc=test member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test objectClass: GroupOfNames objectClass: top objectClass: nestedgroup cn: adtrust agents memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap nq,dc=test [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN" dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac counts,dc=ipapnq,dc=test member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test objectClass: GroupOfNames objectClass: top objectClass: nestedgroup cn: adtrust agents memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap nq,dc=test [root@master ~]# systemctl stop sssd; rm -frv /var/lib/sss/{db,mc}/*; systemctl start sssd removed '/var/lib/sss/db/cache_ipapnq.test.ldb' removed '/var/lib/sss/db/ccache_IPAAD2K16CIN.TEST' removed '/var/lib/sss/db/ccache_IPAPNQ.TEST' removed '/var/lib/sss/db/config.ldb' removed '/var/lib/sss/db/sssd.ldb' removed '/var/lib/sss/db/timestamps_ipapnq.test.ldb' removed '/var/lib/sss/mc/group' removed '/var/lib/sss/mc/initgroups' removed '/var/lib/sss/mc/passwd' [root@master ~]# id administrator uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners) [root@master ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Updating mod_nss protocol versions] [Updating mod_nss cipher suite] [Updating mod_nss enabling OCSP] [Fixing trust flags in /etc/httpd/alias] [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] [Add missing CA DNS records] Updating DNS system records [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Enabling "dnssec-enable" configuration in DNS] [Setting "bindkeys-file" option in named.conf] [Including named root key in named.conf] [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] [Masking named] [Fix bind-dyndb-ldap IPA working directory] [Adding server_id to named.conf] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Setup PKINIT] [Enable certauth] The IPA services were upgraded The ipa-server-upgrade command was successful [root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN" dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac counts,dc=ipapnq,dc=test member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test objectClass: GroupOfNames objectClass: top objectClass: nestedgroup cn: adtrust agents memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap nq,dc=test [root@master ~]# systemctl stop sssd; rm -frv /var/lib/sss/{db,mc}/*; systemctl start sssd removed '/var/lib/sss/db/cache_ipapnq.test.ldb' removed '/var/lib/sss/db/ccache_IPAAD2K16CIN.TEST' removed '/var/lib/sss/db/ccache_IPAPNQ.TEST' removed '/var/lib/sss/db/config.ldb' removed '/var/lib/sss/db/sssd.ldb' removed '/var/lib/sss/db/timestamps_ipapnq.test.ldb' removed '/var/lib/sss/mc/group' removed '/var/lib/sss/mc/initgroups' removed '/var/lib/sss/mc/passwd' [root@master ~]# id administrator uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners) [root@master yum.repos.d]# ipa server-role-find | grep trust -B1 -A1 Server name: master.ipapnq.test Role name: AD trust agent Role status: enabled -- Server name: replica1.ipapnq.test Role name: AD trust agent Role status: enabled -- Server name: master.ipapnq.test Role name: AD trust controller Role status: enabled -- Server name: replica1.ipapnq.test Role name: AD trust controller Role status: absent Similar behaviour is observed when above steps are run on REPLICA. Thus on basis of above observations, marking the status of bug to "VERIFIED" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1083 |