RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1206613 - [RFE] Configure IPA to be a trust agent by default
Summary: [RFE] Configure IPA to be a trust agent by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 1181710
TreeView+ depends on / blocked
 
Reported: 2015-03-27 14:16 UTC by Martin Kosek
Modified: 2023-05-09 14:11 UTC (History)
4 users (show)

Fixed In Version: ipa-4.2.0-1.el7
Doc Type: Release Note
Doc Text:
Configuring an IdM server to be a trust agent now supported Identity Management (IdM) distinguishes two types of IdM master servers: trust controllers and trust agents. Trust controllers run all the services required for establishing and maintaining a trust; trust agents only run services required to provide resolution of users and groups from trusted Active Directory forests to IdM clients enrolled with these IdM servers. By default, running the "ipa-adtrust-install" command sets up the IdM server as a trust controller. To configure another IdM server to be a trust agent, pass the "--add-agents" option to "ipa-adtrust-install".
Clone Of:
Environment:
Last Closed: 2015-11-19 12:03:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-9864 0 None None None 2023-05-09 14:11:40 UTC
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-27 14:16:38 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4951

FreeIPA supports trusted relationships with Active Directory via cross-forest trust.   Currently all functionality to support trusted relationships with Active Directory must be present on every IPA master which controls IPA clients where access to AD users is desired. There is certain difference between uses of the IPA infrastructure which allow to reduce requirements towards IPA masters involved in providing trust features.

A trust controller is a FreeIPA master which runs following services:
* LDAP server with sigden, extdom, and cldap plugins
* KDC with IPA driver
* Samba configured with ipasam PASSDB module
* SSSD with ipa_server_mode=True
* Global Catalog instance (a separate LDAP instance with an AD-compatible schema)

A trust agent is a FreeIPA master which runs following services
* LDAP server with sigden and extdom plugins
* KDC with IPA driver
* SSSD with ipa_server_mode=True

Trust agent is a master that relies on SSSD to do resolution of IDs. Trust controller is used for managing trust: add trust agreements, enable/disable separate domains from a trusted forest to access FreeIPA resources, etc. Trust controller is also what Active Directory's domain controllers contact when validating the trust by means of SMB protocol using LSA calls which implies running a Samba server.

Following work needs to be done:
* Change configuration of IPA master to be trust agent by default and ipa-adtrust-install to configure trust controller.
* Existing cldap, extdom, and sidgen plugins will need to be updated to not fail or complain in the logs if no configuration exists for IPA side of the domain (domain SID, default groups, etc)
* Packaging dependencies for FreeIPA need to change to allow Samba libraries to be installed by default but Samba daemons only pulled in with freeipa-server-trust-ad subpackage.

Comment 1 Martin Kosek 2015-07-08 06:32:53 UTC
Fixed upstream:

master:
2dd5b46d257eb03188fcfb21997e9348bc0e3f4d trust: support retrieving POSIX IDs with one-way trust during trust-add
5025204175fad221a74befa7dc52087fcd0751c6 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
a9570e8ea347c3e5cb4c1489e70828bd00077a22 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
d5aa1ee04e2e4923f42bccd60d51f063df144a0b trusts: add support for one-way trust and switch to it by default
14992a07fc7ea6bb5c028e5fefaf7394af00a555 ipa-adtrust-install: allow configuring of trust agents
aa21600822543a3a07a3d808bc6085d4088fa5e6 ipa-sidgen: reduce log level to normal if domain SID is not available
47e1de760413e5354f704fc808d960490d80338c trusts: pass AD DC hostname if specified explicitly
03c2d76186534081400846f4141fbbef8e41ae83 ipa-adtrust-install: add IPA master host principal to adtrust agents
785f6593caf1817b84332397ca19752d3cf50c25 add one-way trust support to ipasam

Comment 3 Varun Mylaraiah 2015-09-18 10:17:08 UTC
RFE verified.

ipa-server.x86_64 0:4.2.0-4.el7

RFE tested with below scenarios:: 
TC_01: Add trust on IPA server with existing replica with –add-agents option_Bz#1252414
TC_02: Add trust on IPA server with existing replica without –add-agents option
TC_03: With 2 replica server, add 1 replica as a trust-agent
TC_04: Re-establish Trust on trust agent replica.
TC_05: List and Remove trust-agents_bug#1250162
TC_06: Install trust packages on a replica not added as trust agent

Comment 4 Alexander Bokovoy 2015-11-04 04:17:32 UTC
Modified the doc text.

Comment 7 errata-xmlrpc 2015-11-19 12:03:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html


Note You need to log in before you can comment on or make changes to this bug.