Bug 1638545
| Summary: | ipa-advise command points to old URL's. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gaurav Swami <gswami> | |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.5 | CC: | cheimes, dpal, frenaud, ipa-qe, kludhwan, ndehadra, pvoborni, rcritten, ssidhaye, tscherf | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.6.5-1.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1658287 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:09:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1658287 | |||
|
Description
Gaurav Swami
2018-10-11 21:08:57 UTC
Steps to Reproduce: 1. Run ipa-advise command. --------- [root@rhel7-ipa-1 ~]# ipa-advise config-generic-linux-sssd-before-1-9 #!/bin/sh # ---------------------------------------------------------------------- # Instructions for configuring a system with an old version of SSSD # (1.5-1.8) as a IPA client. This set of instructions is targeted for # linux systems that do not include the authconfig utility. # ---------------------------------------------------------------------- trying https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json [try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json' # Schema Compatibility plugin has not been configured on this server. To # configure it, run "ipa-adtrust-install --enable-compat" # Install required packages using your system's package manager. E.g: apt-get -y install sssd curl openssl # Please note that this script assumes /etc/openldap/cacerts as the # default CA certificate location. If this value is different on your # system the script needs to be modified accordingly. # Download the CA certificate of the IPA server mkdir -p -m 755 /etc/openldap/cacerts curl http://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt # Generate hashes for the openldap library command -v cacertdir_rehash if [ $? -ne 0 ] ; then curl "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -o cacertdir_rehash ; chmod 755 ./cacertdir_rehash ; ./cacertdir_rehash /etc/openldap/cacerts/ ; else cacertdir_rehash /etc/openldap/cacerts/ ; fi # Configure ldap.conf. Set the value of TLS_CACERTDIR to # /etc/openldap/cacerts. Make sure that the location of ldap.conf file # matches your system's configuration. echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf # Configure nsswitch.conf. Append sss to the lines beginning with passwd # and group. grep "^passwd.*sss" /etc/nsswitch.conf if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi grep "^group.*sss" /etc/nsswitch.conf if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi # Configure PAM. Configuring the PAM stack differs on particular # distributions. The resulting PAM stack should look like this: cat > /etc/pam.conf << EOF auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so EOF # Configure SSSD cat > /etc/sssd/sssd.conf << EOF [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P<name>.+) [domain/default] cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://rhel7-ipa-1.gsslab.pnq.redhat.com ldap_search_base = cn=compat,dc=gsslab,dc=pnq,dc=redhat,dc=com ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt EOF chmod 0600 /etc/sssd/sssd.conf # Start SSSD service sssd start [root@rhel7-ipa-1 ~]# --------- ------------ [root@rhel7-ipa-1 ~]# ipa-advise config-redhat-sssd-before-1-9 #!/bin/sh # ---------------------------------------------------------------------- # Instructions for configuring a system with an old version of SSSD # (1.5-1.8) as a IPA client. This set of instructions is targeted for # platforms that include the authconfig utility, which are all Red Hat # based platforms. # ---------------------------------------------------------------------- trying https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json [try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json' # Schema Compatibility plugin has not been configured on this server. To # configure it, run "ipa-adtrust-install --enable-compat" # Install required packages via yum yum install -y sssd authconfig curl openssl # NOTE: IPA certificate uses the SHA-256 hash function. SHA-256 was # introduced in RHEL5.2. Therefore, clients older than RHEL5.2 will not # be able to interoperate with IPA server 3.x. # Please note that this script assumes /etc/openldap/cacerts as the # default CA certificate location. If this value is different on your # system the script needs to be modified accordingly. # Download the CA certificate of the IPA server mkdir -p -m 755 /etc/openldap/cacerts curl http://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt # Generate hashes for the openldap library command -v cacertdir_rehash if [ $? -ne 0 ] ; then curl "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -o cacertdir_rehash ; chmod 755 ./cacertdir_rehash ; ./cacertdir_rehash /etc/openldap/cacerts/ ; else cacertdir_rehash /etc/openldap/cacerts/ ; fi # Use the authconfig to configure nsswitch.conf and the PAM stack authconfig --updateall --enablesssd --enablesssdauth # Configure SSSD cat > /etc/sssd/sssd.conf << EOF [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P<name>.+) [domain/default] cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://rhel7-ipa-1.gsslab.pnq.redhat.com ldap_search_base = cn=compat,dc=gsslab,dc=pnq,dc=redhat,dc=com ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt EOF chmod 0600 /etc/sssd/sssd.conf # Start SSSD service sssd start [root@rhel7-ipa-1 ~]# ------------ /sbin/cacertdir_rehash is provided by authconfig so I wonder if it is ever reaching the curl command. Upstream ticket: https://pagure.io/freeipa/issue/7731 Fixed upstream master: https://pagure.io/freeipa/c/0e22314c9bafb684e5e18f7d3937dfc7e04c8561 Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/9cfd07e87964f37465dd699a50444e6953291f59 ipa-4-6: https://pagure.io/freeipa/c/9af6bb596ea98292a7228a8fb2c886fbb03ad59c Build used for verification: [root@qe-blade-10 ~]# rpm -qa ipa-server ipa-server-4.6.5-9.el7.x86_64 [root@qe-blade-10 ~]# [root@qe-blade-10 ~]# ipa-advise config-generic-linux-sssd-before-1-9 #!/bin/sh # ---------------------------------------------------------------------- # Instructions for configuring a system with an old version of SSSD # (1.5-1.8) as a IPA client. This set of instructions is targeted for # linux systems that do not include the authconfig utility. # ---------------------------------------------------------------------- trying https://qe-blade-10.testrelm.test/ipa/session/json [try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://qe-blade-10.testrelm.test/ipa/session/json' # Schema Compatibility plugin has not been configured on this server. To # configure it, run "ipa-adtrust-install --enable-compat" # Install required packages using your system's package manager. E.g: apt-get -y install sssd curl openssl # Please note that this script assumes /etc/openldap/cacerts as the # default CA certificate location. If this value is different on your # system the script needs to be modified accordingly. # Download the CA certificate of the IPA server mkdir -p -m 755 /etc/openldap/cacerts curl http://qe-blade-10.testrelm.test/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt # Generate hashes for the openldap library command -v cacertdir_rehash if [ $? -ne 0 ] ; then curl "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash" -o cacertdir_rehash ; chmod 755 ./cacertdir_rehash ; ./cacertdir_rehash /etc/openldap/cacerts/ ; else cacertdir_rehash /etc/openldap/cacerts/ ; fi # Configure ldap.conf. Set the value of TLS_CACERTDIR to # /etc/openldap/cacerts. Make sure that the location of ldap.conf file # matches your system's configuration. echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf # Configure nsswitch.conf. Append sss to the lines beginning with passwd # and group. grep "^passwd.*sss" /etc/nsswitch.conf if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi grep "^group.*sss" /etc/nsswitch.conf if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi # Configure PAM. Configuring the PAM stack differs on particular # distributions. The resulting PAM stack should look like this: cat > /etc/pam.conf << EOF auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so EOF # Configure SSSD cat > /etc/sssd/sssd.conf << EOF [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P<name>.+) [domain/default] cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://qe-blade-10.testrelm.test ldap_search_base = cn=compat,dc=testrelm,dc=test ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt EOF chmod 0600 /etc/sssd/sssd.conf # Start SSSD service sssd start Based on above observations marking bugzilla verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241 |