Bug 983237

Summary: add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install
Product: Red Hat Enterprise Linux 6 Reporter: Najmuddin Chirammal <nc>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: dpal, nc, rcritten, sbose, tbabej, yjog
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Known Issue
Doc Text:
ipa-adtrust-install, an Identity Management Active Directory Trust configuration tool, does not explicitly specify authentication mechanism when performing Active Directory Trust configuration changes. When the user specifis the default LDAP authentication mechanism other than the expected default (for example by setting the SASL_MECH configuration option to GSSAPI in LDAP configuration file for root user, .ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the .ldaprc file. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-03 11:32:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Najmuddin Chirammal 2013-07-10 19:14:17 UTC
Description of problem: samba crashes if ipaNTSecurityIdentifier is not present on the "default smb group", the issue occurs if we do not specify --add-sids option during ipa-adtrust-install.

Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4 

How reproducible: Always.

Steps to Reproduce:
1. Install IPA server,
2. Run ipa-adtrust-install (without --add-sids option)
3. Once it's completed, try using wbinfo/smbclient commands, watch the logs.

Actual results: smbd crashes due to missing ipaNTSecurityIdentifier attribute on the default smb group.

Expected results: No samba crashes, wbinfo and smbclient returns proper results.

Comment 2 Rob Crittenden 2013-07-11 13:25:38 UTC
Upstream ticket:

Comment 9 Martin Kosek 2013-09-03 11:31:12 UTC
This issue was caused by a configuration issue, adding a Known Issue doc paragraph.

Comment 10 Martin Kosek 2013-09-03 11:32:42 UTC
Closing the bug for 6.5, it will be only documented (and fixed upstream - https://fedorahosted.org/freeipa/ticket/3895).

Comment 11 Martin Kosek 2013-09-03 15:20:00 UTC
Fixed typo in doc text.