Bug 1249455 - ipa trust-add failed CIFS server configuration does not allow access to \\pipe\lsarpc
ipa trust-add failed CIFS server configuration does not allow access to \\pip...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-02 23:25 EDT by Scott Poore
Modified: 2016-05-02 04:08 EDT (History)
8 users (show)

See Also:
Fixed In Version: ipa-4.2.0-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:04:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
debug logs for samba and httpd error_log (41.56 KB, application/x-gzip)
2015-08-03 13:29 EDT, Scott Poore
no flags Details

  None (edit)
Description Scott Poore 2015-08-02 23:25:56 EDT
Description of problem:

I'm seeing failures on ipa trust-add.

ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64
samba-4.2.3-4.el7.x86_64


How reproducible:
always (at least in test 

Steps to Reproduce:
1.  Setup IPA server
2.  Configure DNS resolution between IPA and AD server.  For test purposes, this means setup forwarders on IPA to AD and on AD to IPA.
3.  ipa-adtrust-install
4.  ipa trust-add

Actual results:

Fails with error above.

Expected results:

Adds trust

Additional info:

http error:

[Sun Aug 02 18:41:23.236780 2015] [:error] [pid 27312] ipa: INFO: [jsonserver_kerb] admin@SPOORE1.TEST: trust_add(u'adtest.qe', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.147'): RemoteRetrieveError
Comment 3 Alexander Bokovoy 2015-08-03 02:04:22 EDT
I need samba logs -- set 'log level = 100' in /usr/share/ipa/smb.conf.empty and with 'net conf setparm global "log level" 100' before running the tests, then provide /var/log/samba/* and /var/log/httpd/error_log.
Comment 4 Tomas Babej 2015-08-03 06:32:32 EDT
Additionally, please try if restarting IPA with 'ipactl restart' before establishing the trust does not resolve the issue.
Comment 5 Lukas Slebodnik 2015-08-03 07:50:18 EDT
'ipactl restart' is an expensive operation. It takes a long to restart some services. It might be a good workaround, but it should be fixed in different way.
Comment 6 Scott Poore 2015-08-03 08:33:17 EDT
FYI, I have tried adding ipactl restart after the ipa-adtrust-install.  This didn't seem to change the outcome.  I'm rerunning tests and capturing logs now.  will post soon.
Comment 7 Scott Poore 2015-08-03 13:29:02 EDT
Created attachment 1058815 [details]
debug logs for samba and httpd error_log
Comment 8 Alexander Bokovoy 2015-08-04 10:48:16 EDT
After looking at this with Andreas and Guenther, I think we need to change binding strings to use following scheme:

ncacn_np:host[print] -- for SMB1
ncacn_np:host[smb2,print] -- for SMB@

Using ncacn_ip_tcp is probably not worth it as Samba's client side will try to uppercase 'host' value (cifs/foo.bar.z -> cifs/FOO.BAR.Z) and that one will fail against FreeIPA KDC.
Comment 9 Martin Kosek 2015-08-06 07:41:46 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5183
Comment 12 Scott Poore 2015-08-12 09:25:45 EDT
Verified.

Version ::
ipa-server-4.2.0-4.el7.x86_64


Results ::

:: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password'
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
:: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add adtest.qe --admin Administrator --password' (Expected 0, got 0)
Comment 13 errata-xmlrpc 2015-11-19 07:04:52 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Comment 14 matrix 2016-05-01 04:36:06 EDT
Hi,

I got the same error with 

ipa-server-4.2.0-15.el7.x86_64
samba-4.2.3-12.el7_2.x86_64

[Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: [jsonserver_session] admin@DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError
[Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: [jsonserver_session] admin@DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError

please help to double confirm it has been fixed.
Comment 15 Petr Vobornik 2016-05-01 13:25:27 EDT
RemoteRetrieveError is relatively general error. It might have a different root cause, see comment 3. If there is an issue I'd suggest to open a new BZ, this one won't be reopened.
Comment 16 Alexander Bokovoy 2016-05-01 14:51:45 EDT
According to the logs Matrix sent me, IPv6 is disabled at the kernel level. This is unsupported configuration, as both FreeIPA and Samba require IPv6 support enabled. For more details see http://www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage
Comment 17 Lukas Slebodnik 2016-05-02 04:08:02 EDT
(In reply to Alexander Bokovoy from comment #16)
> According to the logs Matrix sent me, IPv6 is disabled at the kernel level.
> This is unsupported configuration, as both FreeIPA and Samba require IPv6
> support enabled. For more details see
> http://www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage

It's very good that it's documented.but it might be even better to log a warning
if ipv6 is disabled.

Note You need to log in before you can comment on or make changes to this bug.