Red Hat Bugzilla – Bug 1252414
Trust agent install does not detect available replicas to add to master
Last modified: 2015-11-19 07:05:13 EST
Description of problem:
"ipa-adtrust-install --add-agents" command fails to identify the available replica's (installed replica's) to be added to the master.
Discussed with Ab about this behavior via email. Please find below his response and possible fix to address this issue.
Ab's response (root cause analysis):
AD Trust agents feature requires RHEL7.2 masters for the agents' side.
We cannot enable older masters as they wouldn't have proper SSSD and
proper IPA to work in such mode. To do filtration of the older/newer
masters, we rely on the following filter:
e.g. these should be masters which records have object class for
topology plugin and configured to serve topology plugin. If only
objectclass is there, it might simply be a replica that got
configuration but no actual code from FreeIPA 4.2.
What has happened with IPA in RHEL7.2 is that we decided to not enable
topology plugin until its functionality will be full. As result, the
filter above is not giving any output because all replicas now have
ipaMaxDomainLevel equal to 0:
# replica1.btestrelm.test, masters, ipa, etc, btestrelm.test
We need to find out any other way to differentiate between new and old
replicas and change the filter accordingly.
Ab's Proposed Idea to fix the issue:
We need to get list of those IPA replicas which run IPA 4.2, unrelated
to whether they were configured with ipa-adtrust-install or not. We need
to know that master was upgraded to 4.2, reliably.
That said, we add ipaMinDomainLevel/ipaMaxDomainLevel in 72-domainlevels.update
which means you have to update your replica to actually receive these
values in your replica's entry. We could simply change the filter to
make sure that both attributes exist and don't care about the value.
I tried to change the filter in ipa-adtrust-install to
and it detected there are three replicas to add agents on.
"ipa-adtrust-install --add-agents" command now identify the available replica's.
[root@master1 ~]# ipa-adtrust-install --add-agents
The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup components needed to establish trust to AD domains for
the IPA Server.
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: y
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
[1/22]: stopping smbd
[2/22]: creating samba domain object
Samba domain object already exists
[3/22]: creating samba config registry
[4/22]: writing samba config file
[5/22]: adding cifs Kerberos principal
[6/22]: adding cifs and host Kerberos principals to the adtrust agents group
[7/22]: check for cifs services defined on other replicas
[8/22]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
[9/22]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[10/22]: adding RID bases
RID bases already set, nothing to do
[11/22]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[12/22]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
[13/22]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[14/22]: configuring smbd to start on boot
[15/22]: adding special DNS service records
[16/22]: enabling trusted domains support for older clients via Schema Compatibility plugin
[17/22]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[18/22]: adding fallback group
Fallback group already set, nothing to do
[19/22]: adding Default Trust View
Default Trust View already exists.
[20/22]: setting SELinux booleans
[21/22]: enabling oddjobd
[22/22]: starting CIFS services
Done configuring CIFS.
WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests.
Installer can add them to the list of IPA masters allowed to access infromation about trusts.
If you choose to do so, you also need to restart LDAP service on those masters.
Refer to ipa-adtrust-install(1) man page for details.
Do you want to allow following IPA masters to serve information about users from trusted forests?
IPA master [replica2.btestrelm.test]? [no]:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.