Bug 1449133 - Update samba config file and use sss idmap module
Summary: Update samba config file and use sss idmap module
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.1
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
: 1699787 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-09 09:31 UTC by Sudhir Menon
Modified: 2020-03-10 17:19 UTC (History)
12 users (show)

Fixed In Version: ipa-4.8.0-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 20:52:26 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3348 None None None 2019-11-05 20:52:52 UTC

Description Sudhir Menon 2017-05-09 09:31:14 UTC
Description of problem: Update samba config file and use sss idmap module


Version-Release number of selected component (if applicable):
samba-4.6.2-1.el7.x86_64
samba-python-4.6.2-1.el7.x86_64
samba-common-4.6.2-1.el7.noarch
samba-client-4.6.2-1.el7.x86_64
ipa-server-4.5.0-9.el7.x86_64
ipa-server-trust-ad-4.5.0-9.el7.x86_64
samba-winbind-modules-4.6.2-1.el7.x86_64
samba-winbind-4.6.2-1.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install IPA Server.
2. ipa-adtrust-install -a Secret123 --add-sids -U
3. Run testparm

Actual results:
[root@master ~]# ipa-adtrust-install -a Secret123 --add-sids -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
     
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
     
To accept the default shown in brackets, press the Enter key.
     
Configuring CIFS
   [1/23]: validate server hostname
   [2/23]: stopping smbd
   [3/23]: creating samba domain object
   [4/23]: creating samba config registry
   [5/23]: writing samba config file
   [6/23]: adding cifs Kerberos principal
   [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
   [8/23]: check for cifs services defined on other replicas
   [9/23]: adding cifs principal to S4U2Proxy targets
   [10/23]: adding admin(group) SIDs
   [11/23]: adding RID bases
   [12/23]: updating Kerberos config 
   'dns_lookup_kdc' already set to 'true', nothing to do.
   [13/23]: activating CLDAP plugin
   [14/23]: activating sidgen task
   [15/23]: configuring smbd to start on boot
   [16/23]: adding special DNS service records
   [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
   [18/23]: adding fallback group
   [19/23]: adding Default Trust View
   [20/23]: setting SELinux booleans
   [21/23]: starting CIFS services
   [22/23]: adding SIDs to existing users and groups
    This step may take considerable amount of time, please wait..
   [23/23]: restarting smbd
    Done configuring CIFS.
    
=======================================================
Setup complete
     
You must make sure these network ports are open:
            TCP Ports:
              * 135: epmap
              * 138: netbios-dgm
              * 139: netbios-ssn
              * 445: microsoft-ds
              * 1024..1300: epmap listener range
              * 3268: msft-gc
            UDP Ports:
              * 138: netbios-dgm
              * 139: netbios-ssn
              * 389: (C)LDAP
              * 445: microsoft-ds
     
See the ipa-adtrust-install(1) man page for more details
     
=============================================================================
 
    [root@master ~]# testparm
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    lp_load_ex: changing to config backend registry
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Loaded services file OK.
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *!
     
    Server role: ROLE_DOMAIN_PDC
     
    Press enter to see a dump of your service definitions
     
    # Global parameters
    [global]
            realm = TESTRELM.TEST
            workgroup = TESTRELM
            domain master = Yes
            ldap group suffix = cn=groups,cn=accounts
            ldap machine suffix = cn=computers,cn=accounts
            ldap ssl = no
            ldap suffix = dc=testrelm,dc=test
            ldap user suffix = cn=users,cn=accounts
            log file = /var/log/samba/log.%m
            max log size = 100000
            domain logons = Yes
            registry shares = Yes
            disable spoolss = Yes
            dedicated keytab file = /etc/samba/samba.keytab
            kerberos method = dedicated keytab
            passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket
            security = USER
            create krb5 conf = No
            rpc_daemon:lsasd = fork
            rpc_daemon:epmd = fork
            rpc_server:tcpip = yes
            rpc_server:netlogon = external
            rpc_server:samr = external
            rpc_server:lsasd = external
            rpc_server:lsass = external
            rpc_server:lsarpc = external
            rpc_server:epmapper = external
            ldapsam:trusted = yes
            idmap config * : backend = tdb



Expected results: Fix the below messages displayed in testparm command.
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *!

Additional info:

Comment 4 Petr Vobornik 2017-05-15 15:19:21 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6951

Comment 6 Alexander Bokovoy 2019-04-24 10:05:50 UTC
Another change to do is to add explicitly

  max smbd processes = 1000

to mitigate against SMBLoris attack. Right now we have   

max smbd processes = 0

as a default in Samba.

Comment 8 Kaleem 2019-04-24 10:11:44 UTC
Sudhir,

Is this from adtrust automated regression test suite? if yes, please share the test case location from ipa-tests repo. It will help to verify the the bugzilla

Comment 9 Oliver Falk 2019-04-24 10:39:22 UTC
*** Bug 1699787 has been marked as a duplicate of this bug. ***

Comment 16 anuja 2019-08-19 08:30:29 UTC
Verified Using Version :
ipa-server-4.8.0-8.module+el8.1.0+3977+ec23ef34.x86_64

Console log :

[root@ipaqavmd ~]# ipa-adtrust-install -a Secret123 --add-sids -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Trust is configured but no NetBIOS domain name found, setting it now.
Configuring CIFS
  [1/25]: validate server hostname
  [2/25]: stopping smbd
  [3/25]: creating samba domain object
  [4/25]: retrieve local idmap range
  [5/25]: creating samba config registry
  [6/25]: writing samba config file
  [7/25]: adding cifs Kerberos principal
  [8/25]: adding cifs and host Kerberos principals to the adtrust agents group
  [9/25]: check for cifs services defined on other replicas
  [10/25]: adding cifs principal to S4U2Proxy targets
  [11/25]: adding admin(group) SIDs
  [12/25]: adding RID bases
  [13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [14/25]: activating CLDAP plugin
  [15/25]: activating sidgen task
  [16/25]: map BUILTIN\Guests to nobody group
  [17/25]: configuring smbd to start on boot
  [18/25]: adding special DNS service records
  [19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [20/25]: adding fallback group
  [21/25]: adding Default Trust View
  [22/25]: setting SELinux booleans
  [23/25]: starting CIFS services
  [24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

[root@ipaqavmd ~]#  testparm
lp_load_ex: changing to config backend registry
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

# Global parameters
[global]
	create krb5 conf = No
	dedicated keytab file = /etc/samba/samba.keytab
	disable spoolss = Yes
	domain logons = Yes
	domain master = Yes
	kerberos method = dedicated keytab
	ldap group suffix = cn=groups,cn=accounts
	ldap machine suffix = cn=computers,cn=accounts
	ldap ssl = no
	ldap suffix = dc=testrelm,dc=test
	ldap user suffix = cn=users,cn=accounts
	log file = /var/log/samba/log.%m
	max log size = 100000
	max smbd processes = 1000
	passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket
	realm = TESTRELM.TEST
	registry shares = Yes
	security = USER
	workgroup = TESTRELM
	idmap config testrelm : range = 346000000 - 346200000
	idmap config testrelm : backend = sss
	idmap config * : range = 0 - 0
	rpc_daemon:lsasd = fork
	rpc_daemon:epmd = fork
	rpc_server:tcpip = yes
	rpc_server:netlogon = external
	rpc_server:samr = external
	rpc_server:lsasd = external
	rpc_server:lsass = external
	rpc_server:lsarpc = external
	rpc_server:epmapper = external
	ldapsam:trusted = yes
	idmap config * : backend = tdb

In testparm output per description there is no error like :
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *! 
 
Based on this marking bz as verified.

Comment 18 errata-xmlrpc 2019-11-05 20:52:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348

Comment 19 Florence Blanc-Renaud 2020-03-05 13:50:46 UTC
Test case upstream
master:
https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e

The commit adds a test in  ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall


Note You need to log in before you can comment on or make changes to this bug.