RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1449133 - Update samba config file and use sss idmap module
Summary: Update samba config file and use sss idmap module
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.1
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
: 1699787 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-09 09:31 UTC by Sudhir Menon
Modified: 2021-09-09 12:17 UTC (History)
12 users (show)

Fixed In Version: ipa-4.8.0-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 20:52:26 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3348 0 None None None 2019-11-05 20:52:52 UTC

Description Sudhir Menon 2017-05-09 09:31:14 UTC 
Description of problem: Update samba config file and use sss idmap module


Version-Release number of selected component (if applicable):
samba-4.6.2-1.el7.x86_64
samba-python-4.6.2-1.el7.x86_64
samba-common-4.6.2-1.el7.noarch
samba-client-4.6.2-1.el7.x86_64
ipa-server-4.5.0-9.el7.x86_64
ipa-server-trust-ad-4.5.0-9.el7.x86_64
samba-winbind-modules-4.6.2-1.el7.x86_64
samba-winbind-4.6.2-1.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install IPA Server.
2. ipa-adtrust-install -a Secret123 --add-sids -U
3. Run testparm

Actual results:
[root@master ~]# ipa-adtrust-install -a Secret123 --add-sids -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
     
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
     
To accept the default shown in brackets, press the Enter key.
     
Configuring CIFS
   [1/23]: validate server hostname
   [2/23]: stopping smbd
   [3/23]: creating samba domain object
   [4/23]: creating samba config registry
   [5/23]: writing samba config file
   [6/23]: adding cifs Kerberos principal
   [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
   [8/23]: check for cifs services defined on other replicas
   [9/23]: adding cifs principal to S4U2Proxy targets
   [10/23]: adding admin(group) SIDs
   [11/23]: adding RID bases
   [12/23]: updating Kerberos config 
   'dns_lookup_kdc' already set to 'true', nothing to do.
   [13/23]: activating CLDAP plugin
   [14/23]: activating sidgen task
   [15/23]: configuring smbd to start on boot
   [16/23]: adding special DNS service records
   [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
   [18/23]: adding fallback group
   [19/23]: adding Default Trust View
   [20/23]: setting SELinux booleans
   [21/23]: starting CIFS services
   [22/23]: adding SIDs to existing users and groups
    This step may take considerable amount of time, please wait..
   [23/23]: restarting smbd
    Done configuring CIFS.
    
=======================================================
Setup complete
     
You must make sure these network ports are open:
            TCP Ports:
              * 135: epmap
              * 138: netbios-dgm
              * 139: netbios-ssn
              * 445: microsoft-ds
              * 1024..1300: epmap listener range
              * 3268: msft-gc
            UDP Ports:
              * 138: netbios-dgm
              * 139: netbios-ssn
              * 389: (C)LDAP
              * 445: microsoft-ds
     
See the ipa-adtrust-install(1) man page for more details
     
=============================================================================
 
    [root@master ~]# testparm
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    lp_load_ex: changing to config backend registry
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Loaded services file OK.
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *!
     
    Server role: ROLE_DOMAIN_PDC
     
    Press enter to see a dump of your service definitions
     
    # Global parameters
    [global]
            realm = TESTRELM.TEST
            workgroup = TESTRELM
            domain master = Yes
            ldap group suffix = cn=groups,cn=accounts
            ldap machine suffix = cn=computers,cn=accounts
            ldap ssl = no
            ldap suffix = dc=testrelm,dc=test
            ldap user suffix = cn=users,cn=accounts
            log file = /var/log/samba/log.%m
            max log size = 100000
            domain logons = Yes
            registry shares = Yes
            disable spoolss = Yes
            dedicated keytab file = /etc/samba/samba.keytab
            kerberos method = dedicated keytab
            passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket
            security = USER
            create krb5 conf = No
            rpc_daemon:lsasd = fork
            rpc_daemon:epmd = fork
            rpc_server:tcpip = yes
            rpc_server:netlogon = external
            rpc_server:samr = external
            rpc_server:lsasd = external
            rpc_server:lsass = external
            rpc_server:lsarpc = external
            rpc_server:epmapper = external
            ldapsam:trusted = yes
            idmap config * : backend = tdb



Expected results: Fix the below messages displayed in testparm command.
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *!

Additional info:
Comment 4 Petr Vobornik 2017-05-15 15:19:21 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6951
Comment 6 Alexander Bokovoy 2019-04-24 10:05:50 UTC 
Another change to do is to add explicitly

  max smbd processes = 1000

to mitigate against SMBLoris attack. Right now we have   

max smbd processes = 0

as a default in Samba.
Comment 8 Kaleem 2019-04-24 10:11:44 UTC 
Sudhir,

Is this from adtrust automated regression test suite? if yes, please share the test case location from ipa-tests repo. It will help to verify the the bugzilla
Comment 9 Oliver Falk 2019-04-24 10:39:22 UTC 
*** Bug 1699787 has been marked as a duplicate of this bug. ***
Comment 11 Rob Crittenden 2019-04-24 19:49:14 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/4ba888694bc31972740d52322a6b11006adaddc1
https://pagure.io/freeipa/c/b2c5691e73b7f6f38abed727a23b904290fc64cc
Comment 12 Christian Heimes 2019-04-25 06:48:25 UTC 
Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/fad7cad4d2a478c2519e78f8208ed464d336d620
https://pagure.io/freeipa/c/b530dad445237bed83b9d5e317fddb7841825f24
Comment 16 anuja 2019-08-19 08:30:29 UTC 
Verified Using Version :
ipa-server-4.8.0-8.module+el8.1.0+3977+ec23ef34.x86_64

Console log :

[root@ipaqavmd ~]# ipa-adtrust-install -a Secret123 --add-sids -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Trust is configured but no NetBIOS domain name found, setting it now.
Configuring CIFS
  [1/25]: validate server hostname
  [2/25]: stopping smbd
  [3/25]: creating samba domain object
  [4/25]: retrieve local idmap range
  [5/25]: creating samba config registry
  [6/25]: writing samba config file
  [7/25]: adding cifs Kerberos principal
  [8/25]: adding cifs and host Kerberos principals to the adtrust agents group
  [9/25]: check for cifs services defined on other replicas
  [10/25]: adding cifs principal to S4U2Proxy targets
  [11/25]: adding admin(group) SIDs
  [12/25]: adding RID bases
  [13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [14/25]: activating CLDAP plugin
  [15/25]: activating sidgen task
  [16/25]: map BUILTIN\Guests to nobody group
  [17/25]: configuring smbd to start on boot
  [18/25]: adding special DNS service records
  [19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [20/25]: adding fallback group
  [21/25]: adding Default Trust View
  [22/25]: setting SELinux booleans
  [23/25]: starting CIFS services
  [24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

[root@ipaqavmd ~]#  testparm
lp_load_ex: changing to config backend registry
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

# Global parameters
[global]
	create krb5 conf = No
	dedicated keytab file = /etc/samba/samba.keytab
	disable spoolss = Yes
	domain logons = Yes
	domain master = Yes
	kerberos method = dedicated keytab
	ldap group suffix = cn=groups,cn=accounts
	ldap machine suffix = cn=computers,cn=accounts
	ldap ssl = no
	ldap suffix = dc=testrelm,dc=test
	ldap user suffix = cn=users,cn=accounts
	log file = /var/log/samba/log.%m
	max log size = 100000
	max smbd processes = 1000
	passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket
	realm = TESTRELM.TEST
	registry shares = Yes
	security = USER
	workgroup = TESTRELM
	idmap config testrelm : range = 346000000 - 346200000
	idmap config testrelm : backend = sss
	idmap config * : range = 0 - 0
	rpc_daemon:lsasd = fork
	rpc_daemon:epmd = fork
	rpc_server:tcpip = yes
	rpc_server:netlogon = external
	rpc_server:samr = external
	rpc_server:lsasd = external
	rpc_server:lsass = external
	rpc_server:lsarpc = external
	rpc_server:epmapper = external
	ldapsam:trusted = yes
	idmap config * : backend = tdb

In testparm output per description there is no error like :
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *! 
 
Based on this marking bz as verified.
Comment 18 errata-xmlrpc 2019-11-05 20:52:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348
Comment 19 Florence Blanc-Renaud 2020-03-05 13:50:46 UTC 
Test case upstream
master:
https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e

The commit adds a test in  ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall
Comment 20 Florence Blanc-Renaud 2020-03-10 17:19:03 UTC 
Test upstream:
ipa-4-8:
https://pagure.io/freeipa/c/4afd6e5e07061dde6e30b5352668bdf23cd6dedd

ipa-4-7:
https://pagure.io/freeipa/c/59b09f154b9d85d937da64d6fe271d09c5b61bc1

ipa-4-6:
https://pagure.io/freeipa/c/796c86ac701d23d1dd281d0d5c5331b9a66c2888
Note You need to log in before you can comment on or make changes to this bug.