Bug 1781153 - After upgrade AD Trust Agents were removed from LDAP [rhel-7.7.z]
Summary: After upgrade AD Trust Agents were removed from LDAP [rhel-7.7.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1778777
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-09 12:41 UTC by RAD team bot copy to z-stream
Modified: 2020-02-04 19:32 UTC (History)
8 users (show)

Fixed In Version: ipa-4.6.5-11.el7_7.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1778777
Environment:
Last Closed: 2020-02-04 19:32:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0378 0 None None None 2020-02-04 19:32:41 UTC

Description RAD team bot copy to z-stream 2019-12-09 12:41:03 UTC 
This bug has been copied from bug #1778777 and has been proposed to be backported to 7.7 z-stream (EUS).
Comment 5 Michal Polovka 2020-01-24 14:19:47 UTC 
Manually verified using following steps, automation pending.

[root@ci-vm-10-0-137-248 ~]# rpm -q ipa-server                                  
ipa-server-4.6.5-11.el7_7.4.x86_64 
                                             
[root@ci-vm-10-0-137-248 ~]# hostname -f                                        
ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com 
                              
[root@ci-vm-10-0-137-248 ~]# ipa-server-install --setup-dns --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a Secret123 -p Secret123 -U --auto-forwarders
                                                                                
[root@ci-vm-10-0-137-248 ~]# ipa-adtrust-install --add-agents --add-sids        

[root@ci-vm-10-0-137-248 ~]# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com"
objectClass: GroupOfNames                                                       
objectClass: top                                                                
objectClass: nestedgroup                                                        
cn: adtrust agents                                                              
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=dom-ci-vm-10-0-137-248,dc  
 =hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com                                    
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=dom-  
 ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com               
member: krbprincipalname=cifs/ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.co  
 m@dom-ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com,cn=services,cn=accoun  
 ts,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com     
member: fqdn=ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com,cn=computers,cn     
 =accounts,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc  
 =com                                                                           
                                                                                
[root@ci-vm-10-0-137-248 ~]# cat delete_fqdn.ldif                                                    
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com
changetype: modify                                                              
delete: member                                                                  
member: fqdn=ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com,cn=computers,cn=accounts,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com
                                                                                
[root@ci-vm-10-0-137-248 ~]# ldapmodify -D cn=directory\ manager -w Secret123 -h 10.0.137.248 -f delete_fqdn.ldif
modifying entry "cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com"

root@ci-vm-10-0-137-248 ~]# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom-ci-vm-10-0-137-248,dc=hoste  
 d,dc=upshift,dc=rdu2,dc=redhat,dc=com                                          
objectClass: GroupOfNames                                                       
objectClass: top                                                                
objectClass: nestedgroup                                                        
cn: adtrust agents                                                              
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=dom-ci-vm-10-0-137-248,dc  
 =hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com                                    
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=dom-  
 ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com               
member: krbprincipalname=cifs/ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.co  
 m@dom-ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com,cn=services,cn=accoun  
 ts,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com     
                                                                                
[root@ci-vm-10-0-137-248 ~]#  ipa-server-upgrade                                
...                                                                             
hbac service systemd-user already exists                                        
[Setup PKINIT]                                                                  
[Enable certauth]                                                               
The IPA services were upgraded                                                  
The ipa-server-upgrade command was successful                                   
                                                                                
                                                                                
[root@ci-vm-10-0-137-248 ~]# ldapsearch -xLLL -D "cn=directory manager" -w "Secret123" -b "cn=adtrust agents,cn=sysaccounts, cn=etc, dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com"
dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=dom-ci-vm-10-0-137-248,dc=hoste  
 d,dc=upshift,dc=rdu2,dc=redhat,dc=com                                          
objectClass: GroupOfNames                                                       
objectClass: top                                                                
objectClass: nestedgroup                                                        
cn: adtrust agents                                                              
memberOf: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=dom-ci-vm-10-0-137-248,dc  
 =hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com                                    
memberOf: cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=dom-  
 ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com               
member: krbprincipalname=cifs/ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.co  
 m@dom-ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com,cn=services,cn=accoun  
 ts,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com     
member: fqdn=ci-vm-10-0-137-248.hosted.upshift.rdu2.redhat.com,cn=computers,cn  
 =accounts,dc=dom-ci-vm-10-0-137-248,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc  
 =com
Comment 7 errata-xmlrpc 2020-02-04 19:32:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:0378
Note You need to log in before you can comment on or make changes to this bug.