Bug 878288
Summary: | IPA users are not available after ipa-server-install because sssd not running | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | abokovoy, arubin, bcook, dpal, jgalipea, mkosek, sbose, ssorce |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-10.el6 | Doc Type: | Known Issue |
Doc Text: |
When attempting to set up a trust to Active Directory, running the 'ipa- trust-add' command fails with the following error message:
ERROR: Insufficient access: CIFS server denied your credentials
To work around this problem, restart the sssd daemon before adding the trust.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:30:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 886216 |
Description
Scott Poore
2012-11-20 03:24:44 UTC
The reason is "Username TESTRELM\admin is invalid on this system", i.e. smbd cannot resolve the IPA admin user. There might be several issues leading to this. Since you are not mentioning that you add config options to sssd.conf I assume you are running one of the latest sssd versions, where the subdomains provider and the PAc responder are started automatically if ip_provider=ipa is configured. Can you check if this is really the case by checking that sssd_pac process is running? If this is that case I assume that the sssd subdomain provider is in a timeout period where is does not check for subdomains. This timeout period was added to make the subdomain provider well behaved in case where no trust is configured on the IPA server, i.e. does not make too many useless subdomain related lookups on the server. To test this please run the test again, but restart sssd after ipa-adtrust-install is run. If the test is successful, please change the component of the ticket to sssd and rename it to 'IPA subdomains provider shall allow lookups after reconnect'. Currently the timeout period is reset when sssd goes online, but is looks that in your test the restart of the IPA directory server does not trigger an offline-online cycle, but only a reconnect. Sorry, looks like my assumption in comment 2 is not the issue here. Steeve was so kind to re-run your test and found the sssd is not running at all after ipa-server-install. I think it is realated to to the change in https://bugzilla.redhat.com/show_bug.cgi?id=874527 . Looks like a restart of sssd must be added to ipa-client-install. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3267 Yep, that's what I see on the server I used to post this bug: [root@rhel6-1 ~]# ps -ef|grep sssd root 30192 30174 0 10:26 pts/0 00:00:00 grep sssd [root@rhel6-1 ~]# service sssd restart Stopping sssd: cat: /var/run/sssd.pid: No such file or directory [FAILED] Starting sssd: [ OK ] [root@rhel6-1 ~]# echo <PASSWORD>|ipa trust-add adtestdom.com --admin Administrator --password ------------------------------------------------------ Added Active Directory trust for realm "adtestdom.com" ------------------------------------------------------ Realm name: adtestdom.com Domain NetBIOS name: ADTESTDOM Domain Security Identifier: S-1-5-21-1246088475-3077293710-2580964704 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified Ok, removing TestBlocker keyword because we have a workaround here of restarting sssd before adding the trust. So, is ipa-client-install going to get updated to fix this? That's the plan. Bug summary changed to be more descriptive of overall issue seen. It should be noted that we've also seen that issue cause ipa-replica-install to fail during the ipa-replica-conncheck when it tries to ssh as admin to the IPA master. Starting sssd on the IPA master fixes that issue. Updating summary to include because sssd not running to make it even easier to understand at a glance. Also, adding Regression keyword as it will be seen that way to end users seeing this unexpected failure. Fixed upstream. master: a45125f78db5d95b3d0dd000cf6af0ef4444f9a0 ipa-3-0: 3ea6c53a44f5d7a25b0274ad384d445739f85203 Restart sssd after authconfig update Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation. Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here. Verified. Version :: ipa-client-3.0.0-10.el6.x86_64 Manual Test Results :: [root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host rhel6-1.testrelm.com Using reverse zone 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel6-1.testrelm.com IP address: 192.168.122.61 Domain name: testrelm.com Realm name: TESTRELM.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone: 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 1 minute [1/37]: creating directory server user [2/37]: creating directory server instance [3/37]: adding default schema [4/37]: enabling memberof plugin [5/37]: enabling winsync plugin [6/37]: configuring replication version plugin [7/37]: enabling IPA enrollment plugin [8/37]: enabling ldapi [9/37]: disabling betxn plugins [10/37]: configuring uniqueness plugin [11/37]: configuring uuid plugin [12/37]: configuring modrdn plugin [13/37]: enabling entryUSN plugin [14/37]: configuring lockout plugin [15/37]: creating indices [16/37]: enabling referential integrity plugin [17/37]: configuring ssl for ds instance [18/37]: configuring certmap.conf [19/37]: configure autobind for root [20/37]: configure new location for managed entries [21/37]: restarting directory server [22/37]: adding default layout [23/37]: adding delegation layout [24/37]: adding replication acis [25/37]: creating container for managed entries [26/37]: configuring user private groups [27/37]: configuring netgroups from hostgroups [28/37]: creating default Sudo bind user [29/37]: creating default Auto Member layout [30/37]: adding range check plugin [31/37]: creating default HBAC rule allow_all [32/37]: initializing group membership [33/37]: adding master entry [34/37]: configuring Posix uid/gid generation [35/37]: enabling compatibility plugin [36/37]: tuning directory server [37/37]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@rhel6-1 ~]# ps -ef|grep sssd root 29201 1 0 10:15 ? 00:00:00 /usr/sbin/sssd -f -D root 29202 29201 0 10:15 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.com --debug-to-files root 29203 29201 0 10:15 ? 00:00:00 /usr/libexec/sssd/sssd_nss --debug-to-files root 29204 29201 0 10:15 ? 00:00:00 /usr/libexec/sssd/sssd_pam --debug-to-files root 29205 29201 0 10:15 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --debug-to-files root 29206 29201 0 10:15 ? 00:00:00 /usr/libexec/sssd/sssd_pac --debug-to-files root 29305 25415 0 10:28 pts/0 00:00:00 grep sssd [root@rhel6-1 ~]# service sssd status sssd (pid 29201) is running... [root@rhel6-1 ~]# ssh admin@localhost The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established. RSA key fingerprint is 5f:a4:46:34:99:80:f7:8b:1b:76:f0:e7:d6:97:25:24. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. admin@localhost's password: Could not chdir to home directory /home/admin: No such file or directory -bash-4.1$ id uid=799400000(admin) gid=799400000(admins) groups=799400000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -bash-4.1$ whoami admin -bash-4.1$ exit logout Connection to localhost closed. [root@rhel6-1 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |