Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Verified
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64
Now ipa-advise command points to the working URL "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash"
Console Output:
===============
ipa-advise config-generic-linux-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# linux systems that do not include the authconfig utility.
# ----------------------------------------------------------------------
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages using your system's package manager. E.g:
apt-get -y install sssd curl openssl
# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://kvm-02-guest11.testrelm0901a.test/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt
# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
curl "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash" -o cacertdir_rehash ;
chmod 755 ./cacertdir_rehash ;
./cacertdir_rehash /etc/openldap/cacerts/ ;
else
cacertdir_rehash /etc/openldap/cacerts/ ;
fi
# Configure ldap.conf. Set the value of TLS_CACERTDIR to
# /etc/openldap/cacerts. Make sure that the location of ldap.conf file
# matches your system's configuration.
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf
# Configure nsswitch.conf. Append sss to the lines beginning with passwd
# and group.
grep "^passwd.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi
grep "^group.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi
# Configure PAM. Configuring the PAM stack differs on particular
# distributions. The resulting PAM stack should look like this:
cat > /etc/pam.conf << EOF
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)
[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://kvm-02-guest11.testrelm0901a.test
ldap_search_base = cn=compat,dc=testrelm0901a,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
EOF
chmod 0600 /etc/sssd/sssd.conf
# Start SSSD
service sssd start
Based on the above observation, marking the bug VERIFIED