Hide Forgot
This bug has been copied from bug #951965 and has been proposed to be backported to 6.4 z-stream (EUS).
[root@dhcp207-61 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago) [root@dhcp207-61 ~]# rpm -q ipa-server ipa-server-3.0.0-25.el6.x86_64 [root@dhcp207-61 ~]# rpm -q krb5-server krb5-server-1.10.3-10.el6.x86_64 [root@dhcp207-61 ~]# wget -O /etc/yum.repos.d/errata-15560.repo http://cosmos.lab.eng.pnq.redhat.com/errata-15560/errata-15560.repo [root@dhcp207-61 ~]# yum update krb5-server Loaded plugins: product-id, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.10.3-10.el6 will be updated ---> Package krb5-server.x86_64 0:1.10.3-10.el6_4.6 will be an update --> Processing Dependency: krb5-libs = 1.10.3-10.el6_4.6 for package: krb5-server-1.10.3-10.el6_4.6.x86_64 --> Running transaction check ---> Package krb5-libs.x86_64 0:1.10.3-10.el6 will be updated --> Processing Dependency: krb5-libs = 1.10.3-10.el6 for package: krb5-workstation-1.10.3-10.el6.x86_64 ---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be an update --> Running transaction check ---> Package krb5-workstation.x86_64 0:1.10.3-10.el6 will be updated ---> Package krb5-workstation.x86_64 0:1.10.3-10.el6_4.6 will be an update --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================================== Updating: krb5-server x86_64 1.10.3-10.el6_4.6 errata-15560 2.0 M Updating for dependencies: krb5-libs x86_64 1.10.3-10.el6_4.6 errata-15560 760 k krb5-workstation x86_64 1.10.3-10.el6_4.6 errata-15560 804 k Transaction Summary ====================================================================================================================================================== Upgrade 3 Package(s) Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: (1/3): krb5-libs-1.10.3-10.el6_4.6.x86_64.rpm | 760 kB 00:00 (2/3): krb5-server-1.10.3-10.el6_4.6.x86_64.rpm | 2.0 MB 00:00 (3/3): krb5-workstation-1.10.3-10.el6_4.6.x86_64.rpm | 804 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------ Total 32 MB/s | 3.5 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : krb5-libs-1.10.3-10.el6_4.6.x86_64 1/6 Updating : krb5-server-1.10.3-10.el6_4.6.x86_64 2/6 Updating : krb5-workstation-1.10.3-10.el6_4.6.x86_64 3/6 Cleanup : krb5-workstation-1.10.3-10.el6.x86_64 4/6 Cleanup : krb5-server-1.10.3-10.el6.x86_64 5/6 Cleanup : krb5-libs-1.10.3-10.el6.x86_64 6/6 Verifying : krb5-server-1.10.3-10.el6_4.6.x86_64 1/6 Verifying : krb5-libs-1.10.3-10.el6_4.6.x86_64 2/6 Verifying : krb5-workstation-1.10.3-10.el6_4.6.x86_64 3/6 Verifying : krb5-libs-1.10.3-10.el6.x86_64 4/6 Verifying : krb5-workstation-1.10.3-10.el6.x86_64 5/6 Verifying : krb5-server-1.10.3-10.el6.x86_64 6/6 Updated: krb5-server.x86_64 0:1.10.3-10.el6_4.6 Dependency Updated: krb5-libs.x86_64 0:1.10.3-10.el6_4.6 krb5-workstation.x86_64 0:1.10.3-10.el6_4.6 Complete! [root@dhcp207-61 ~]# yum install bind-dyndb-ldap -y [root@dhcp207-61 ~]# /usr/sbin/ipa-server-install --setup-dns --no-forwarder --hostname=dhcp207-61.testrelm.com --ip-address 10.65.207.61 -r TESTRELM.COM -n testrelm.com -p Secret123 -P Secret123 -a Secret123 -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management . . . Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@dhcp207-61 ~]# yum remove samba-winbind samba-common -y [root@dhcp207-61 ~]# yum install ipa-server-trust-ad samba4-winbind-clients -y [root@dhcp207-61 ~]# ipa-adtrust-install -a Secret123 --netbios-name TESTRELM -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring CIFS [1/18]: stopping smbd [2/18]: creating samba domain object [3/18]: creating samba config registry [4/18]: writing samba config file [5/18]: adding cifs Kerberos principal [6/18]: adding cifs principal to S4U2Proxy targets [7/18]: adding admin(group) SIDs [8/18]: adding RID bases [9/18]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [10/18]: activating CLDAP plugin [11/18]: activating sidgen plugin and task [12/18]: activating extdom plugin [13/18]: configuring smbd to start on boot [14/18]: adding special DNS service records [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [16/18]: adding fallback group [17/18]: setting SELinux booleans [18/18]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [root@dhcp207-61 ~]# ipa dnszone-add adlabs.com --force --forwarder=10.65.207.6 --forward-policy=only --name-server win-i94qhqmthd4.adlabs.com --ip-address 10.65.207.6 --admin-email='hostmaster.adlabs.com' Zone name: adlabs.com Authoritative nameserver: win-i94qhqmthd4.adlabs.com Administrator e-mail address: hostmaster.adlabs.com. SOA serial: 1378464230 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; Zone forwarders: 10.65.207.6 Forward policy: only [root@dhcp207-61 ~]# dig srv _ldap._tcp.adlabs.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> srv _ldap._tcp.adlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32791 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.adlabs.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.adlabs.com. 600 IN SRV 0 100 389 win-i94qhqmthd4.adlabs.com. ;; ADDITIONAL SECTION: win-i94qhqmthd4.adlabs.com. 1200 IN A 10.65.207.6 win-i94qhqmthd4.adlabs.com. 1200 IN AAAA 2620:52:0:41ce:5dbd:d0b2:6cc0:6a56 ;; Query time: 11 msec ;; SERVER: 10.65.207.61#53(10.65.207.61) ;; WHEN: Fri Sep 6 16:14:12 2013 ;; MSG SIZE rcvd: 129 [root@dhcp207-61 ~]# dig @10.65.207.6 srv _ldap._tcp.testrelm.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> @10.65.207.6 srv _ldap._tcp.testrelm.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60106 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.testrelm.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.testrelm.com. 86388 IN SRV 0 100 389 dhcp207-61.testrelm.com. ;; ADDITIONAL SECTION: dhcp207-61.testrelm.com. 1188 IN A 10.65.207.61 ;; Query time: 1 msec ;; SERVER: 10.65.207.6#53(10.65.207.6) ;; WHEN: Fri Sep 6 16:20:05 2013 ;; MSG SIZE rcvd: 100 [root@dhcp207-61 ~]# ipa trust-add --type=ad adlabs.com --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials [root@dhcp207-61 ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] Restarting ADTRUST Service Shutting down SMB services: [ OK ] Starting SMB services: [ OK ] Restarting EXTID Service Shutting down Winbind services: [ OK ] Starting Winbind services: [ OK ] [root@dhcp207-61 ~]# wbinfo --online-status BUILTIN : online TESTRELM : online [root@dhcp207-61 ~]# ipa trust-add --type=ad adlabs.com --admin Administrator --password Active directory domain administrator's password: --------------------------------------------------- Added Active Directory trust for realm "adlabs.com" --------------------------------------------------- Realm name: adlabs.com Domain NetBIOS name: ADLABS Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@dhcp207-61 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlabs.com Domain NetBIOS name: ADLABS Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- Verified in version [root@dhcp207-61 ~]# rpm -q ipa-server krb5-server ipa-server-3.0.0-25.el6.x86_64 krb5-server-1.10.3-10.el6_4.6.x86_64 [root@dhcp207-61 ~]# kdestroy [root@dhcp207-61 ~]# kinit admin Password for admin: [root@dhcp207-61 ~]# ls -la /`klist | grep cache | cut -d':' -f2-|cut -d/ -f2-` -rw-------. 1 root root 1267 Sep 6 16:25 /tmp/krb5cc_0 [root@dhcp207-61 ~]# kvno cifs/`hostname` cifs/dhcp207-61.testrelm.com: kvno = 1 [root@dhcp207-61 ~]# ls -la /`klist | grep cache | cut -d':' -f2-|cut -d/ -f2-` -rw-------. 1 root root 2344 Sep 6 16:26 /tmp/krb5cc_0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1222.html