Bug 1778777 - After upgrade AD Trust Agents were removed from LDAP
Summary: After upgrade AD Trust Agents were removed from LDAP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1781153
TreeView+ depends on / blocked
 
Reported: 2019-12-02 13:36 UTC by aheverle
Modified: 2021-07-14 13:48 UTC (History)
9 users (show)

Fixed In Version: ipa-4.6.6-11.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1781153 (view as bug list)
Environment:
Last Closed: 2020-03-31 19:56:32 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4790681 0 None None None 2020-02-05 10:14:43 UTC
Red Hat Product Errata RHBA-2020:1083 0 None None None 2020-03-31 19:56:41 UTC

Description aheverle 2019-12-02 13:36:32 UTC
Description of problem:
Upgrade code in IdM should verify for every krbprincipalname=cifs/ipa.master@$REALM,cn=services,cn=accounts,$SUFFIX belonging to cn=adtrust agents, a corresponding fqdn=ipa.master,cn=machines,cn=accounts,$SUFFIX also belongs to the same group)

Version-Release number of selected component (if applicable):
ipa-server-4.6.5-11.el7_7.3.x86_64

How reproducible:
Only have seen it in this case.

Steps to Reproduce:
1. ipa-server-upgrade


Actual results:
AD Trust Agents were removed

Expected results:
AD Trust agents not affected

Additional info:

# ldapsearch -xLLL  -D "cn=directory manager" -W -b "cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX"
Enter LDAP Password:
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
memberOf: cn=adtrust agents,cn=privileges,cn=pbac,$SUFFIX
memberOf: cn=system: read system trust accounts,cn=permissions,cn=pbac,$SUFFIX
member: krbprincipalname=cifs/stcprdxidm01.$SUFFIX@$SUFFIX,cn=services,c
 n=accounts,d$SUFFIX
member: krbprincipalname=cifs/stcprdxidm02.$SUFFIX@$SUFFIX,cn=services,c
 n=accounts,d$SUFFIX
member: krbprincipalname=cifs/calprdxidm01.$SUFFIX@$SUFFIX,cn=services,c
 n=accounts,$SUFFIX
member: krbprincipalname=cifs/calprdxidm02.$SUFFIX@$SUFFIX,cn=services,c
 n=accounts,$SUFFIX
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents

Comment 2 Alexander Bokovoy 2019-12-04 08:07:17 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/3977

Comment 4 Florence Blanc-Renaud 2019-12-04 08:12:17 UTC
Fixed upstream
master:
https://github.com/freeipa/freeipa/commit/2c9b212cf08e9f0e6814b2e7a0922079b3929634

Comment 15 Nikhil Dehadrai 2019-12-18 00:51:54 UTC
IPA-server version: ipa-server-4.6.6-11.el7.x86_64

Verified the bug on the basis of following steps:

1. Setup IPA server at RHEL773 as MASTER / REPLICA (in my case: )
2. Verify that the trust agent configured via ldap query on MASTER / REPLICA (In this case not setup, replica entry should be missing under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
3. Configure trust, trust-agent on the MASTER via --add-agent option
# ipa-adtrust-install --add-agents
4. Verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
5. Run "ipa-server-upgrade" on MASTER / REPLICA
6. Again verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
7. Run ipa upgrade on MASTER and then on REPLICA
# yum -y update
8. Run "ipa-server-upgrade" on MASTER / REPLICA
9. Again verify that the trust agent configured via ldap query on MASTER / REPLICA (replica entry is visible under member section of result)
# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=ipapnq, dc=test"
10. Validate Trust-agent server role for replica on both Master/Replica using command
# ipa server-role-find | grep trust -B1 -A1



Console:
--------------
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test@ipapnq.test,cn=services,cn=ac
 counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
 nq,dc=test

[root@master ~]# rpm -q ipa-server
ipa-server-4.6.5-11.el7_7.3.x86_64
[root@master ~]# 
[root@master ~]# ipa-adtrust-install --add-agents

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password: 

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: 


WARNING: 1 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: 

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
Samba domain object already exists
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
  [10/23]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [11/23]: adding RID bases
RID bases already set, nothing to do
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
  [14/23]: activating sidgen task
Sidgen task plugin already configured, nothing to do
  [15/23]: map BUILTIN\Guests to nobody group
  [16/23]: configuring smbd to start on boot
  [17/23]: adding special DNS service records
  [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [19/23]: adding fallback group
Fallback group already set, nothing to do
  [20/23]: adding Default Trust View
Default Trust View already exists.
  [21/23]: setting SELinux booleans
  [22/23]: starting CIFS services
  [23/23]: restarting smbd
Done configuring CIFS.

WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests.
Installer can add them to the list of IPA masters allowed to access information about trusts.
If you choose to do so, you also need to restart LDAP service on those masters.
Refer to ipa-adtrust-install(1) man page for details.

IPA master [replica1.ipapnq.test]? [no]: yes

WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in
order to activate them to serve information about users from trusted forests:

replica1.ipapnq.test

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test@ipapnq.test,cn=services,cn=ac
 counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
 nq,dc=test

[root@master ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test@ipapnq.test,cn=services,cn=ac
 counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
 nq,dc=test

[root@master ~]# systemctl stop sssd; rm -frv /var/lib/sss/{db,mc}/*; systemctl start sssd
removed '/var/lib/sss/db/cache_ipapnq.test.ldb'
removed '/var/lib/sss/db/ccache_IPAAD2K16CIN.TEST'
removed '/var/lib/sss/db/ccache_IPAPNQ.TEST'
removed '/var/lib/sss/db/config.ldb'
removed '/var/lib/sss/db/sssd.ldb'
removed '/var/lib/sss/db/timestamps_ipapnq.test.ldb'
removed '/var/lib/sss/mc/group'
removed '/var/lib/sss/mc/initgroups'
removed '/var/lib/sss/mc/passwd'
[root@master ~]# id administrator@ipaad2k16cin.test
uid=879000500(administrator@ipaad2k16cin.test) gid=879000500(administrator@ipaad2k16cin.test) groups=879000500(administrator@ipaad2k16cin.test),879000518(schema admins@ipaad2k16cin.test),879000519(enterprise admins@ipaad2k16cin.test),879000512(domain admins@ipaad2k16cin.test),879000513(domain users@ipaad2k16cin.test),879000520(group policy creator owners@ipaad2k16cin.test)


[root@master ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Updating mod_nss protocol versions]
[Updating mod_nss cipher suite]
[Updating mod_nss enabling OCSP]
[Fixing trust flags in /etc/httpd/alias]
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Add missing CA DNS records]
Updating DNS system records
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Enabling "dnssec-enable" configuration in DNS]
[Setting "bindkeys-file" option in named.conf]
[Including named root key in named.conf]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
[Masking named]
[Fix bind-dyndb-ldap IPA working directory]
[Adding server_id to named.conf]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful
[root@master ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtrust agents,cn=sysaccounts, cn=etc,$BASEDN"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipapnq,dc=test
member: krbprincipalname=cifs/master.ipapnq.test@ipapnq.test,cn=services,cn=ac
 counts,dc=ipapnq,dc=test
member: fqdn=master.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
member: fqdn=replica1.ipapnq.test,cn=computers,cn=accounts,dc=ipapnq,dc=test
objectClass: GroupOfNames
objectClass: top
objectClass: nestedgroup
cn: adtrust agents
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=ipapnq,dc=test
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipap
 nq,dc=test

[root@master ~]# systemctl stop sssd; rm -frv /var/lib/sss/{db,mc}/*; systemctl start sssd
removed '/var/lib/sss/db/cache_ipapnq.test.ldb'
removed '/var/lib/sss/db/ccache_IPAAD2K16CIN.TEST'
removed '/var/lib/sss/db/ccache_IPAPNQ.TEST'
removed '/var/lib/sss/db/config.ldb'
removed '/var/lib/sss/db/sssd.ldb'
removed '/var/lib/sss/db/timestamps_ipapnq.test.ldb'
removed '/var/lib/sss/mc/group'
removed '/var/lib/sss/mc/initgroups'
removed '/var/lib/sss/mc/passwd'
[root@master ~]# id administrator@ipaad2k16cin.test
uid=879000500(administrator@ipaad2k16cin.test) gid=879000500(administrator@ipaad2k16cin.test) groups=879000500(administrator@ipaad2k16cin.test),879000518(schema admins@ipaad2k16cin.test),879000519(enterprise admins@ipaad2k16cin.test),879000512(domain admins@ipaad2k16cin.test),879000513(domain users@ipaad2k16cin.test),879000520(group policy creator owners@ipaad2k16cin.test)
[root@master yum.repos.d]# ipa server-role-find | grep trust -B1 -A1
  Server name: master.ipapnq.test
  Role name: AD trust agent
  Role status: enabled
--
  Server name: replica1.ipapnq.test
  Role name: AD trust agent
  Role status: enabled
--
  Server name: master.ipapnq.test
  Role name: AD trust controller
  Role status: enabled
--
  Server name: replica1.ipapnq.test
  Role name: AD trust controller
  Role status: absent

Similar behaviour is observed when above steps are run on REPLICA.

Thus on basis of above observations, marking the status of bug to "VERIFIED"

Comment 18 errata-xmlrpc 2020-03-31 19:56:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083


Note You need to log in before you can comment on or make changes to this bug.