Bug 980409
| Summary: | Create a trust to an AD 2012 domain not works, backport ticket 3231 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | pgustafs |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | abokovoy, dpal, pgustafs, rcritten, sbose, sgoveas |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-33.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Identity Management Active Directory integration did not expect different procedure that Microsoft Active Directory users to populate KERB_VALIDATION_INFO section of MS-PAC extension for Kerberos ticket.
Consequence: Such Kerberos tickets were not accepted causing an incompatibility between IdM and Microsoft Windows Server 2012.
Fix: KERB_VALIDATION_INFO verification was refactored to ensure it filters out the unexpected values before further processing.
Result: IdM Active Directory Trust creation no longer fails with Microsoft Windows Server 2012.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 20:54:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
pgustafs
2013-07-02 09:59:56 UTC
The ticket 3289 is not really relevant here alone. What is relevant is its predecessor which actually adds support for Windows Server 2012. (In reply to Alexander Bokovoy from comment #2) > The ticket 3289 is not really relevant here alone. What is relevant is its > predecessor which actually adds support for Windows Server 2012. yes, I gave them a test-build with the patch from https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6 build and got the feedback that now everything is working as expected. I really think it is worth adding this patch in 6.5. (In reply to Sumit Bose from comment #3) > (In reply to Alexander Bokovoy from comment #2) > > The ticket 3289 is not really relevant here alone. What is relevant is its > > predecessor which actually adds support for Windows Server 2012. > > yes, I gave them a test-build with the patch from > https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6 > build and got the feedback that now everything is working as expected. I > really think it is worth adding this patch in 6.5. (In reply to Alexander Bokovoy from comment #2) > The ticket 3289 is not really relevant here alone. What is relevant is its > predecessor which actually adds support for Windows Server 2012. Yes with the test-build from Sumit everything is working as expected. Since Windows Server 2012 is becoming common nowadays i also really think it is worth adding this patch in 6.5. The full scope of changes to support Windows Server 2012 in IdM is tracked in the bug 910453 for RHEL 7. However, the patch from FreeIPA upstream ticket https://fedorahosted.org/freeipa/ticket/3231 represents a minimal support with hard-coded configuration that is enough to support default Windows Server 2012 installs. So I'd suggest to include it into 6.5, given that engineering work is already performed as part of upstream activities and initial testing at a customer's environment gave positive result. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3768 This Bugzilla is solved by ticket 3231 (see Comment 3), not 3289. Updating Bugzilla title. I will move this to POST, as upstream bug is fixed: master: 32916d444b038e6d68348b62481a4e2871438568 Fixed one coverity issue, added 2 stabilization patches related to AD2012 backported code. One more coverity fix -> ipa-3.0.0-33.el6. [root@dhcp207-85 ~]# nmap -A ad12srv1.adtest.qe .... Host script results: |_nbstat: NetBIOS name: AD12SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 52:54:00:a8:2d:d6 (QEMU Virtual NIC) |_smbv2-enabled: Server supports SMBv2 protocol | smb-os-discovery: | OS: Windows Server 2012 Standard 9200 (Windows Server 2012 Standard 6.2) | Name: ADTEST\AD12SRV1 |_ System time: 2013-09-23 19:50:32 UTC+5.5 [root@dhcp207-85 ~]# ipa trust-add --type=ad adtest.qe --admin Administrator --password Active directory domain administrator's password: -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@dhcp207-85 ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: ADTEST.QE_id_range First Posix ID of the range: 1148400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879 Range type: Active Directory domain range Range name: TESTRELM.COM_id_range First Posix ID of the range: 1811200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@dhcp207-85 ~]# getent passwd user1 user1:*:1148401110:1148401110::/home/adtest.qe/user1: [root@dhcp207-85 ~]# ssh -l user1 dhcp207-85.testrelm.com user1@dhcp207-85.testrelm.com's password: Could not chdir to home directory /home/adtest.qe/user1: No such file or directory -sh-4.1$ logout Connection to dhcp207-85.testrelm.com closed. On IPA Client [root@dhcp207-25 ~]# ipa-client-install --domain testrelm.com Discovery was successful! Hostname: dhcp207-25.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: dhcp207-85.testrelm.com BaseDN: dc=testrelm,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin: Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM trying https://dhcp207-85.testrelm.com/ipa/xml Forwarding 'env' to server u'https://dhcp207-85.testrelm.com/ipa/xml' Hostname (dhcp207-25.testrelm.com) not found in DNS DNS server record set to: dhcp207-25.testrelm.com -> 10.65.207.25 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://dhcp207-85.testrelm.com/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@dhcp207-25 ~]# getent passwd user1 user1:*:1148401110:1148401110::/home/adtest.qe/user1: [root@dhcp207-25 ~]# ssh -l user1 dhcp207-85.testrelm.com user1@dhcp207-85.testrelm.com's password: Last login: Mon Sep 23 19:59:19 2013 from dhcp207-85.testrelm.com Could not chdir to home directory /home/adtest.qe/user1: No such file or directory -sh-4.1$ logout Connection to dhcp207-85.testrelm.com closed. Without Password [root@dhcp207-25 ~]# vim /etc/krb5.conf [root@dhcp207-25 ~]# grep auth_to_local /etc/krb5.conf auth_to_local = RULE:[1:$1@$0](^.*@ADTEST.QE$)s/@ADTEST.QE/@adtest.qe/ auth_to_local = DEFAULT [root@dhcp207-25 ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@dhcp207-25 ~]# kinit user1 Password for user1: [root@dhcp207-25 ~]# ssh -K -l user1 dhcp207-85.testrelm.com Last login: Tue Sep 24 15:33:38 2013 from dhcp207-85.testrelm.com Could not chdir to home directory /home/adtest.qe/user1: No such file or directory -sh-4.1$ logout Connection to dhcp207-85.testrelm.com closed. Verified [root@dhcp207-85 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5 Beta (Santiago) [root@dhcp207-85 ~]# rpm -q ipa-server ipa-server-3.0.0-35.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1651.html |