Bug 870278

Summary: ipa client setup should configure host properly in a trust is in place
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dpal, grajaiya, jgalipea, mkosek, nsoman, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-14.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:38:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Scott Poore 2012-10-26 03:18:18 UTC 
Description of problem:

I would expect that any necessary client install (including via ipa-replica-install) would configure necessary changes when a cross domain trust is in place.

After having to re-configure/re-install a replica, I noticed that /etc/sssd/sssd.conf was missing subdomains_provider line.

ipa-client-install, ipa-replica-install should properly configure client config files for trusts if trusts are enabled for the environemt.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64

How reproducible:
Unknown


Steps to Reproduce:
1.  Install IPA Master and Replica
2.  Install AD Server
3.  Setup trust to AD domain
4.  on replica:  ipa-server-install --uninstall -U
5.  on master: ipa-replica-manage -p PASSWORD del REPLICA --force
6.  on master: ipa-replica-prepare -p PASSWORD --ip-address=REPLICA_IP REPLICA
7.  on replica: sftp MASTER:/var/lib/ipa/replica-info-REPLICA.gpg 
8.  on replica: ipa-replica-install -U --setup-ca --setup-dns --forwarder=DNSFORWARDER -w PASSWORD -p PASSWD replica-info-REPLICA.gpg
  
Actual results:

configs missing.  at the very least /etc/sssd/sssd.conf is missing subdomains_provider = ipa line.

Expected results:

all trust related configs should be handled by ipa install commands.

Additional info:
Comment 2 Martin Kosek 2012-10-26 10:11:17 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3218
Comment 3 Dmitri Pal 2012-10-31 20:16:37 UTC 
Moving to SSSD.
Comment 4 Dmitri Pal 2012-10-31 20:21:08 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1613
Comment 6 Steeve Goveas 2013-02-04 11:10:22 UTC 
# Server (Replica)

[root@dell-pe1950-03 ~]# kinit admin
Password for admin: 

[root@dell-pe1950-03 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dell-pe1950-03 ~]# ipa-replica-manage list
ibm-x3500m4-01.testrelm.com: master
dell-pe1950-03.testrelm.com: master

# Adding IPA Client to a domain already having trust with AD

[root@wazwan ~]# rpm -q sssd
sssd-1.9.2-82.el6.x86_64

[root@wazwan ~]# cat /etc/sssd/sssd.conf
cat: /etc/sssd/sssd.conf: No such file or directory

[root@wazwan ~]# ipa-client-install
Discovery was successful!
Hostname: wazwan.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: dell-pe1950-03.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Mon Jan 28 12:34:23 2013 UTC
    Valid Until: Fri Jan 28 12:34:23 2033 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://dell-pe1950-03.testrelm.com/ipa/xml
Hostname (wazwan.testrelm.com) not found in DNS
DNS server record set to: wazwan.testrelm.com -> 10.65.201.162
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dell-pe1950-03.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

[root@wazwan ~]# grep id_provider /etc/sssd/sssd.conf
id_provider = ipa

[root@wazwan ~]# ssh -l tuser1 wazwan.testrelm.com
tuser1@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Could not chdir to home directory /home/adlab.qe/tuser1: No such file or directory
-sh-4.1$ 

[root@wazwan ~]# ssh -l tuser1 wazwan.testrelm.com
tuser1@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Creating home directory for tuser1.
Last login: Mon Feb  4 14:30:10 2013 from wazwan.testrelm.com
-sh-4.1$ echo tuser1 > .k5login
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.

[root@wazwan ~]# kinit tuser1
Password for tuser1: 

[root@wazwan ~]# ssh -K -l tuser1 wazwan.testrelm.com
Last login: Mon Feb  4 14:42:20 2013 from wazwan.testrelm.com
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.

# Adding Replica to a Server having Trust with AD

[root@ibm-x3500m4-01 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

* On Replica
[root@rasalghul ~]# kinit admin
Password for admin: 

[root@rasalghul ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

* Installing ipa-adtrust

[root@rasalghul ~]# ipa-adtrust-install -a Secret123

[root@rasalghul ~]# ipactl restart

[root@rasalghul ~]# authconfig --enablemkhomedir --updateall

Shutting down Winbind services:                            [  OK  ]
Stopping sssd:                                             [  OK  ]
Starting oddjobd:                                          [  OK  ]

[root@rasalghul ~]# service sssd status
sssd is stopped

[root@rasalghul ~]# service sssd start
Starting sssd:                                             [  OK  ]

* Checking login from client

[root@wazwan ~]# ssh -l nuser1 rasalghul.testrelm.com
nuser1@rasalghul.testrelm.com's password: 
Your password will expire in 41 day(s).
Creating home directory for nuser1.
Last login: Mon Feb  4 16:31:37 2013 from 10.65.201.162
-sh-4.1$ echo nuser1  > .k5login
-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.

[root@wazwan ~]# kinit nuser1
Password for nuser1: 

[root@wazwan ~]# ssh -K -l nuser1 rasalghul.testrelm.com
Last login: Mon Feb  4 16:33:35 2013 from 10.65.201.162
-sh-4.1$ pwd
/home/adlab.qe/nuser1
-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.
Comment 7 errata-xmlrpc 2013-02-21 09:38:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html