1782658 – add "systemctl restart sssd" to warning message when adding trust agents to replicas

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1782658 - add "systemctl restart sssd" to warning message when adding trust agents to replicas

Summary: add "systemctl restart sssd" to warning message when adding trust agents to r...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	François Cami
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1782587
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-12 03:43 UTC by François Cami
Modified:	2023-03-07 12:30 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1782587
Environment:
Last Closed:	2020-04-28 15:44:43 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9544	None	None	None	2023-03-07 12:30:56 UTC
Red Hat Issue Tracker	RHELPLAN-31102	None	None	None	2023-03-07 12:29:24 UTC
Red Hat Product Errata	RHEA-2020:1640	None	None	None	2020-04-28 15:44:56 UTC

Description François Cami 2019-12-12 03:43:13 UTC

+++ This bug was initially created as a clone of Bug #1782587 +++

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8148

### Issue
After adding a replica to AD trust agent, the warning message displays:
~~~
WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in
-order to activate them to serve information about users from trusted forests:
~~~
whereas restarting sssd is mandatory for trust agents to work.

Comment 1 François Cami 2019-12-12 03:45:12 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/d5dad53e70857b47ab89c8ba78b0d8fe7d8fae0b

Comment 2 François Cami 2019-12-12 16:40:53 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/62f0bd0bb8194b0998fca0e582725a6f63bc9154

Comment 3 François Cami 2019-12-12 16:42:09 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/14de3644ea1e8ce3954b1da6a0e99f6e27d4db03

Comment 4 François Cami 2019-12-12 16:42:55 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/5bc4218bf8716d28339a3f30d1be8471d04cb4b4

Comment 7 Sergey Orlov 2020-02-18 11:46:10 UTC

Fix verified for version:

# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 Beta (Ootpa)

# rpm -q ipa-server-trust-ad
ipa-server-trust-ad-4.8.4-4.module+el8.2.0+5591+1f878b19.x86_64

Verified with two scenarios:
1) setup trust controller, then setup agents
2) setup trust controller and agents in one run

1. Two stages setup:

# ipa server-find --all
---------------------
2 IPA servers matched
---------------------
  dn: cn=master1.testrelm.test,cn=masters,cn=ipa,cn=etc,dc=testrelm,dc=test
  Server name: master1.testrelm.test
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, DNS server, IPA master
  objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig

  dn: cn=replica1.testrelm.test,cn=masters,cn=ipa,cn=etc,dc=testrelm,dc=test
  Server name: replica1.testrelm.test
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, IPA master
  objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
----------------------------
Number of entries returned 2
----------------------------

# ipa-adtrust-install -U
...


# ipa-adtrust-install --add-agents
...
admin password:

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]:

...

WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests.
Installer can add them to the list of IPA masters allowed to access information about trusts.
If you choose to do so, you also need to restart LDAP service on those masters.
Refer to ipa-adtrust-install(1) man page for details.

IPA master [replica1.testrelm.test]? [no]: yes

WARNING: you MUST restart (both "ipactl restart" and "systemctl restart sssd")
the following IPA masters in order to activate them to serve information about
users from trusted forests:

replica1.testrelm.test

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================



2. One stage setup

# ipa server-find --all
---------------------
2 IPA servers matched
---------------------
  dn: cn=master1.testrelm.test,cn=masters,cn=ipa,cn=etc,dc=testrelm,dc=test
  Server name: master1.testrelm.test
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, DNS server, IPA master
  objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig

  dn: cn=replica1.testrelm.test,cn=masters,cn=ipa,cn=etc,dc=testrelm,dc=test
  Server name: replica1.testrelm.test
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, IPA master
  objectclass: top, nsContainer, ipaReplTopoManagedServer, ipaConfigObject, ipaSupportedDomainLevelConfig
----------------------------
Number of entries returned 2
----------------------------

# ipa-adtrust-install --add-agents
...
admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]:

Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [TESTRELM]:


WARNING: 3 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]:

...

WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests.
Installer can add them to the list of IPA masters allowed to access information about trusts.
If you choose to do so, you also need to restart LDAP service on those masters.
Refer to ipa-adtrust-install(1) man page for details.

IPA master [replica1.testrelm.test]? [no]: yes

WARNING: you MUST restart (both "ipactl restart" and "systemctl restart sssd")
the following IPA masters in order to activate them to serve information about
users from trusted forests:

replica1.testrelm.test

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 135: epmap
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	  * 1024..1300: epmap listener range
	  * 3268: msft-gc
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

Comment 8 Florence Blanc-Renaud 2020-03-05 13:49:02 UTC

Test case upstream
master:
https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e

The commit adds a test in  ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall

Comment 9 Florence Blanc-Renaud 2020-03-10 17:18:51 UTC

Test upstream:
ipa-4-8:
https://pagure.io/freeipa/c/4afd6e5e07061dde6e30b5352668bdf23cd6dedd

ipa-4-7:
https://pagure.io/freeipa/c/59b09f154b9d85d937da64d6fe271d09c5b61bc1

ipa-4-6:
https://pagure.io/freeipa/c/796c86ac701d23d1dd281d0d5c5331b9a66c2888

Comment 11 errata-xmlrpc 2020-04-28 15:44:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640

Note You need to log in before you can comment on or make changes to this bug.