Bug 1259020 - ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash character)
ipa-server-adtrust-install doesn't allow NetBIOS-name=EXAMPLE-TEST.COM (dash...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.1
x86_64 Linux
unspecified Severity medium
: rc
: 7.3
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-01 14:53 EDT by JohnH4663
Modified: 2016-11-04 01:46 EDT (History)
12 users (show)

See Also:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 01:46:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 09:56:18 EDT

  None (edit)
Description JohnH4663 2015-09-01 14:53:26 EDT
Description of problem:  ipa-adtrust-install  doesn't allow NetBIOS name to have '-' ( dash ) character, only uppercase characters (DNS allows for '-' char)
  Please See the Microsoft url

https://support.microsoft.com/en-us/kb/188997

Version-Release number of selected component (if applicable):

# rpm -qif /sbin/ipa-adtrust-install
Name        : ipa-server-trust-ad
Version     : 4.1.0
Release     : 18.el7_1.3
Architecture: x86_64
Install Date: Tue 18 Aug 2015 04:44:42 PM MDT
Group       : System Environment/Base
Size        : 382010
License     : GPLv3+
Signature   : RSA/SHA256, Mon 23 Mar 2015 12:30:54 PM MDT, Key ID 199e2f91fd431d51
Source RPM  : ipa-4.1.0-18.el7_1.3.src.rpm
Build Date  : Thu 19 Mar 2015 12:44:00 PM MDT
Build Host  : x86-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : Virtual package to install packages required for Active Directory trusts



How reproducible:


Steps to Reproduce:
1. create domain called example-test.com (or add to local hosts file)
2. ipa-server 
3.

Actual results:
# ipa-adtrust-install --netbios-name=EXAMPLE-TEST.COM -a xxxxxx

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]:

There was error to automatically re-kinit your admin user ticket.
Proceeding with credentials that existed before

Illegal NetBIOS name [EXAMPLE-TEST.COM].

Up to 15 characters and only uppercase ASCII letter and digits are allowed.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters and digits are allowed.
Example: EXAMPLE.



Expected results:


Additional info:
  Please See the Microsoft url

https://support.microsoft.com/en-us/kb/188997
Comment 1 JohnH4663 2015-09-01 14:57:54 EDT
Sorry the command is 

 ipa-server-install

Here is the rest of the ipa software
# rpm -qa |grep  'ipa-'
ipa-server-trust-ad-4.1.0-18.el7_1.3.x86_64
ipa-python-4.1.0-18.el7_1.3.x86_64
redhat-access-plugin-ipa-0.9.1-2.el7.noarch
ipa-server-4.1.0-18.el7_1.3.x86_64
ipa-admintools-4.1.0-18.el7_1.3.x86_64
sssd-ipa-1.12.2-58.el7.x86_64
ipa-client-4.1.0-18.el7_1.3.x86_64
Comment 2 Noriko Hosoi 2015-09-03 19:52:02 EDT
Does not look like an issue in the Directory Server.  Changing the component to IPA...
Comment 4 Tomas Babej 2015-09-04 05:38:47 EDT
Currently, we allow only uppercase characters and digits. Sumit, is there a technical reason not to support the full set as per https://support.microsoft.com/en-us/kb/188997 ?
Comment 5 Petr Vobornik 2015-09-04 05:43:03 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5286
Comment 6 Sumit Bose 2015-09-04 05:57:33 EDT
No, there is no reason, I guess I didn't found this document when I was searching for a list of valid characters and used a too strict set. Please note that some of the special characters might not be allowed as first or last characters of a NetBIOS name.
Comment 7 Alexander Bokovoy 2015-09-08 09:11:00 EDT
The document is for Windows NT, not Active Directory. I have not found a newer reference and I'm intending to ask Microsoft documentation team for a clarification.
Comment 10 Silvio Wanka 2016-02-08 10:38:46 EST
Then take this https://support.microsoft.com/en-us/kb/909264
Comment 11 Silvio Wanka 2016-02-08 10:47:49 EST
BTW, this makes additional problems see Bug 1305533.
And if I check my configuration of the IdM server:

# hostname -s
dedcs1-idm02
# net registry enumerate_recursive 'HKLM\Software\Samba\smbconf'| sed -n '/netbios/,/Value/p'
Valuename  = netbios name
Type       = REG_SZ
Value      = "DEDCS1IDM02"

The dash is removed, why?
Comment 12 Silvio Wanka 2016-02-19 09:38:17 EST
At least a dash must be allowed and this can be solved very simple:

--- /usr/lib/python2.7/site-packages/ipaserver/install/adtrustinstance.py.orig  2015-07-09 10:57:36.000000000 +0200
+++ /usr/lib/python2.7/site-packages/ipaserver/install/adtrustinstance.py       2016-02-09 12:56:30.394308457 +0100
@@ -44,7 +44,7 @@
 from ipaplatform.tasks import tasks


-ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
+ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'

 UPGRADE_ERROR = """
 Entry %(dn)s does not exist.
Comment 13 Petr Vobornik 2016-03-02 08:06:15 EST
Fixed upstream:

ipa-4-2: 657838462c4b0ce5be2cee584b3be112aca6c660
ipa-4-3: 1496fb779d72fb590376df23e39206938fe8dad2
master: b41fbceeafea126f8e014da5d3596138c6cf0feb
Comment 15 Mike McCune 2016-03-28 18:43:24 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 17 Sudhir Menon 2016-09-15 06:52:22 EDT
Fix is seen. Verified on RHEL73 using
ipa-server-trust-ad-4.4.0-11.el7.x86_64
ipa-server-4.4.0-11.el7.x86_64

Note:
ipa-adtrust-install allows - in the NetBIOS name.
. is not allowed e.g TEST-RELM.TEST

[root@master db]# ipa-adtrust-install --netbios-name=TEST-RELM         
 
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
 
This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server
 
To accept the default shown in brackets, press the Enter key.
 
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
 
Enable trusted domains support in slapi-nis? [no]:
 
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
 
admin password:
WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.
Do you want to run the ipa-sidgen task? [no]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
  [1/21]: stopping smbd
  [2/21]: creating samba domain object
  [3/21]: creating samba config registry
  [4/21]: writing samba config file
  [5/21]: adding cifs Kerberos principal
  [6/21]: adding cifs and host Kerberos principals to the adtrust agents group
  [7/21]: check for cifs services defined on other replicas
  [8/21]: adding cifs principal to S4U2Proxy targets
  [9/21]: adding admin(group) SIDs
  [10/21]: adding RID bases
  [11/21]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [12/21]: activating CLDAP plugin
  [13/21]: activating sidgen task
  [14/21]: configuring smbd to start on boot
  [15/21]: adding special DNS service records
  [16/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [17/21]: adding fallback group
  [18/21]: adding Default Trust View
  [19/21]: setting SELinux booleans
  [20/21]: starting CIFS services
  [21/21]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
Comment 19 errata-xmlrpc 2016-11-04 01:46:27 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.