Bug 1778777
| Summary: | After upgrade AD Trust Agents were removed from LDAP | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | aheverle | |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.7 | CC: | abokovoy, frenaud, ksiddiqu, mpolovka, ndehadra, pasik, rcritten, tborcin, tscherf | |
| Target Milestone: | rc | Keywords: | Regression, ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.6.6-11.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1781153 (view as bug list) | Environment: | ||
| Last Closed: | 2020-03-31 19:56:32 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1781153 | |||
|
Description
aheverle
2019-12-02 13:36:32 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/3977 Fixed upstream master: https://github.com/freeipa/freeipa/commit/2c9b212cf08e9f0e6814b2e7a0922079b3929634 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/bb4ec6fcb4547bc624cde93e16a9201dfa8d4426 ipa-4-7: https://pagure.io/freeipa/c/206e1f94efda11dd773860c9bbf9609d797688d4 ipa-4-8: https://pagure.io/freeipa/c/b21128c2d7575c6eba6a52fa4448a9a2c7b56913 IPA-server version: ipa-server-4.6.6-11.el7.x86_64
Verified the bug on the basis of following steps:
1. Setup IPA server at RHEL773 as MASTER / REPLICA (in my case: )
2. Verify that the trust agent configured via ldap query on MASTER / REPLICA (In this case not setup, replica entry should be missing under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
3. Configure trust, trust-agent on the MASTER via --add-agent option
# ipa-adtrust-install --add-agents
4. Verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
5. Run "ipa-server-upgrade" on MASTER / REPLICA
6. Again verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
7. Run ipa upgrade on MASTER and then on REPLICA
# yum -y update
8. Run "ipa-server-upgrade" on MASTER / REPLICA
9. Again verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
10. Validate Trust-agent server role for replica on both Master/Replica using command
# ipa server-role-find | grep trust -B1 -A1
Console:
--------------
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac
counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
nq,dc=test
[root@master ~]# rpm -q ipa-server
ipa-server-4.6.5-11.el7_7.3.x86_64
[root@master ~]#
[root@master ~]# ipa-adtrust-install --add-agents
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password:
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]:
WARNING: 1 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/23]: validate server hostname
[2/23]: stopping smbd
[3/23]: creating samba domain object
Samba domain object already exists
[4/23]: creating samba config registry
[5/23]: writing samba config file
[6/23]: adding cifs Kerberos principal
[7/23]: adding cifs and host Kerberos principals to the adtrust agents group
[8/23]: check for cifs services defined on other replicas
[9/23]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
[10/23]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[11/23]: adding RID bases
RID bases already set, nothing to do
[12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[13/23]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
[14/23]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[15/23]: map BUILTIN\Guests to nobody group
[16/23]: configuring smbd to start on boot
[17/23]: adding special DNS service records
[18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[19/23]: adding fallback group
Fallback group already set, nothing to do
[20/23]: adding Default Trust View
Default Trust View already exists.
[21/23]: setting SELinux booleans
[22/23]: starting CIFS services
[23/23]: restarting smbd
Done configuring CIFS.
WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests.
Installer can add them to the list of IPA masters allowed to access information about trusts.
If you choose to do so, you also need to restart LDAP service on those masters.
Refer to ipa-adtrust-install(1) man page for details.
IPA master [replica1.ipapnq.test]? [no]: yes
WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in
order to activate them to serve information about users from trusted forests:
replica1.ipapnq.test
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac
counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
nq,dc=test
[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac
counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
nq,dc=test
[root@master ~]# systemctl stop sssd; rm -frv /var/lib/sss/{db,mc}/*; systemctl start sssd
removed '/var/lib/sss/db/cache_ipapnq.test.ldb'
removed '/var/lib/sss/db/ccache_IPAAD2K16CIN.TEST'
removed '/var/lib/sss/db/ccache_IPAPNQ.TEST'
removed '/var/lib/sss/db/config.ldb'
removed '/var/lib/sss/db/sssd.ldb'
removed '/var/lib/sss/db/timestamps_ipapnq.test.ldb'
removed '/var/lib/sss/mc/group'
removed '/var/lib/sss/mc/initgroups'
removed '/var/lib/sss/mc/passwd'
[root@master ~]# id administrator
uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners)
[root@master ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Updating mod_nss protocol versions]
[Updating mod_nss cipher suite]
[Updating mod_nss enabling OCSP]
[Fixing trust flags in /etc/httpd/alias]
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Add missing CA DNS records]
Updating DNS system records
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Enabling "dnssec-enable" configuration in DNS]
[Setting "bindkeys-file" option in named.conf]
[Including named root key in named.conf]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
[Masking named]
[Fix bind-dyndb-ldap IPA working directory]
[Adding server_id to named.conf]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test,cn=services,cn=ac
counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
nq,dc=test
[root@master ~]# systemctl stop sssd; rm -frv /var/lib/sss/{db,mc}/*; systemctl start sssd
removed '/var/lib/sss/db/cache_ipapnq.test.ldb'
removed '/var/lib/sss/db/ccache_IPAAD2K16CIN.TEST'
removed '/var/lib/sss/db/ccache_IPAPNQ.TEST'
removed '/var/lib/sss/db/config.ldb'
removed '/var/lib/sss/db/sssd.ldb'
removed '/var/lib/sss/db/timestamps_ipapnq.test.ldb'
removed '/var/lib/sss/mc/group'
removed '/var/lib/sss/mc/initgroups'
removed '/var/lib/sss/mc/passwd'
[root@master ~]# id administrator
uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners)
[root@master yum.repos.d]# ipa server-role-find | grep trust -B1 -A1
Server name: master.ipapnq.test
Role name: AD trust agent
Role status: enabled
--
Server name: replica1.ipapnq.test
Role name: AD trust agent
Role status: enabled
--
Server name: master.ipapnq.test
Role name: AD trust controller
Role status: enabled
--
Server name: replica1.ipapnq.test
Role name: AD trust controller
Role status: absent
Similar behaviour is observed when above steps are run on REPLICA.
Thus on basis of above observations, marking the status of bug to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1083 |