Bug 682853

Summary: IPA provider should use realm instead of ipa_domain for base DN
Product: Red Hat Enterprise Linux 5 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.7CC: benl, dpal, grajaiya, jgalipea, prc, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-14.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 682850 Environment:
Last Closed: 2011-07-21 08:09:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 682850    
Bug Blocks:    

Description Stephen Gallagher 2011-03-07 19:16:19 UTC 
+++ This bug was initially created as a clone of Bug #682850 +++

Description of problem:

From https://fedorahosted.org/sssd/ticket/807

See https://fedorahosted.org/freeipa/ticket/1001 and the bug linked from there.

The problem is that IPA seems to be deriving its Base DN from the Kerberos realm. SSSD derives it from IPA domain. In 99% of cases the two are the same, but there's no requirement on it, so we should use the realm, too.
Comment 2 Jenny Severance 2011-05-31 19:08:17 UTC 
IPA SERVER RHEL 6.1:

ipa-server-2.0.0-23.el6.x86_64
ipa-client-2.0.0-23.el6.x86_64
sssd-1.5.1-34.el6.x86_64

Installation command:

ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname=hostname.testrelm -r QWQW -n testrelm -p bigsecret -P bigsecret -a bigsecret -U

Installation successful

# kinit admin
Password for admin@QWQW: 
[root@myhost]# 

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@QWQW

Valid starting     Expires            Service principal
05/31/11 15:04:59  06/01/11 15:04:57  krbtgt/QWQW@QWQW

IPA CLIENT RHEL 5.7:

ipa-client-2.0-14.el5
sssd-1.5.1-35.el5

Installation command:

ipa-client-install --domain=testrelm --realm=QWQW -p admin -w bigsecret -U --server=hostname.testrelm

Discovery was successful!
Realm: QWQW
DNS Domain: testrelm
IPA Server: qe-blade-04.testrelm
BaseDN: dc=qwqw



kinit(v5): Cannot resolve network address for KDC in realm QWQW while getting initial credentials
Comment 3 Jenny Severance 2011-05-31 20:03:07 UTC 
Setting this back to assigned as the problem is with the ipa-client 

https://fedorahosted.org/freeipa/ticket/1100

This fix is not included in RHEL 5.7 ipa-client, therefore it is not possible to verify this bug.
Comment 4 Jenny Severance 2011-06-03 15:27:31 UTC 
Same result with RHEL 5 ipa-client scratch build:

ipa-client-install --domain=testrelm --realm=QWQW -p mysecret -w mysecret -U --server=ipaserver.testrelm
DNS domain 'qwqw' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Realm: QWQW
DNS Domain: testrelm
IPA Server: ipaserver.testrelm
BaseDN: dc=qwqw



kinit(v5): Cannot contact any KDC for realm 'QWQW' while getting initial credentials

# rpm -q ipa-client
ipa-client-2.0-15.el5
Comment 5 Jenny Severance 2011-06-03 15:29:31 UTC 
oh well slightly different ... 

"DNS domain 'qwqw' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value."
Comment 6 Jenny Severance 2011-06-03 15:54:31 UTC 
Wasn't executing the correct command "-p" is principal

# ipa-client-install --domain=testrelm --realm=QWQW -p admin -w mysecret -U --server=ipaserver.testrelm
DNS domain 'qwqw' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Realm: QWQW
DNS Domain: testrelm
IPA Server: ipaserver.testrelm
BaseDN: dc=qwqw



Enrolled in IPA realm QWQW
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QWQW
Warning: Hostname (client.testrelm) not found in DNS
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status -6)
Failed to stop the NSCD daemon
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.

# kinit jennyg
Password for jennyg@QWQW: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# cat /etc/ipa/default.conf 
#File modified by ipa-client-install

[global]
basedn = dc=qwqw
realm = QWQW
domain = testrelm
server = ipaserver.testrelm
xmlrpc_uri = https://ipaserver.testrelm/ipa/xml
enable_ra = True

# cat /etc/sssd/sssd.conf 
[sssd]
services = nss, pam
config_file_version = 2

domains = testrelm
[nss]

[pam]

[domain/testrelm]
cache_credentials = True
krb5_realm = QWQW
ipa_domain = testrelm
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipaserver.testrelm

# cat /etc/krb5.conf
#File modified by ipa-client-install

[libdefaults]
  default_realm = QWQW
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  QWQW = {
    kdc = ipaserver.testrelm:88
    admin_server = ipaserver.testrelm:749
    default_domain = testrelm
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = QWQW
  testrelm = QWQW

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
Comment 7 errata-xmlrpc 2011-07-21 08:09:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html