Bug 682853 - IPA provider should use realm instead of ipa_domain for base DN
Summary: IPA provider should use realm instead of ipa_domain for base DN
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sssd
Version: 5.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 682850
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-07 19:16 UTC by Stephen Gallagher
Modified: 2015-01-04 23:46 UTC (History)
6 users (show)

Fixed In Version: sssd-1.5.1-14.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 682850
Environment:
Last Closed: 2011-07-21 08:09:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0975 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-07-21 08:09:03 UTC

Description Stephen Gallagher 2011-03-07 19:16:19 UTC 
+++ This bug was initially created as a clone of Bug #682850 +++

Description of problem:

From https://fedorahosted.org/sssd/ticket/807

See https://fedorahosted.org/freeipa/ticket/1001 and the bug linked from there.

The problem is that IPA seems to be deriving its Base DN from the Kerberos realm. SSSD derives it from IPA domain. In 99% of cases the two are the same, but there's no requirement on it, so we should use the realm, too.
Comment 2 Jenny Severance 2011-05-31 19:08:17 UTC 
IPA SERVER RHEL 6.1:

ipa-server-2.0.0-23.el6.x86_64
ipa-client-2.0.0-23.el6.x86_64
sssd-1.5.1-34.el6.x86_64

Installation command:

ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname=hostname.testrelm -r QWQW -n testrelm -p bigsecret -P bigsecret -a bigsecret -U

Installation successful

# kinit admin
Password for admin@QWQW: 
[root@myhost]# 

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@QWQW

Valid starting     Expires            Service principal
05/31/11 15:04:59  06/01/11 15:04:57  krbtgt/QWQW@QWQW

IPA CLIENT RHEL 5.7:

ipa-client-2.0-14.el5
sssd-1.5.1-35.el5

Installation command:

ipa-client-install --domain=testrelm --realm=QWQW -p admin -w bigsecret -U --server=hostname.testrelm

Discovery was successful!
Realm: QWQW
DNS Domain: testrelm
IPA Server: qe-blade-04.testrelm
BaseDN: dc=qwqw



kinit(v5): Cannot resolve network address for KDC in realm QWQW while getting initial credentials
Comment 3 Jenny Severance 2011-05-31 20:03:07 UTC 
Setting this back to assigned as the problem is with the ipa-client 

https://fedorahosted.org/freeipa/ticket/1100

This fix is not included in RHEL 5.7 ipa-client, therefore it is not possible to verify this bug.
Comment 4 Jenny Severance 2011-06-03 15:27:31 UTC 
Same result with RHEL 5 ipa-client scratch build:

ipa-client-install --domain=testrelm --realm=QWQW -p mysecret -w mysecret -U --server=ipaserver.testrelm
DNS domain 'qwqw' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Realm: QWQW
DNS Domain: testrelm
IPA Server: ipaserver.testrelm
BaseDN: dc=qwqw



kinit(v5): Cannot contact any KDC for realm 'QWQW' while getting initial credentials

# rpm -q ipa-client
ipa-client-2.0-15.el5
Comment 5 Jenny Severance 2011-06-03 15:29:31 UTC 
oh well slightly different ... 

"DNS domain 'qwqw' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value."
Comment 6 Jenny Severance 2011-06-03 15:54:31 UTC 
Wasn't executing the correct command "-p" is principal

# ipa-client-install --domain=testrelm --realm=QWQW -p admin -w mysecret -U --server=ipaserver.testrelm
DNS domain 'qwqw' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Realm: QWQW
DNS Domain: testrelm
IPA Server: ipaserver.testrelm
BaseDN: dc=qwqw



Enrolled in IPA realm QWQW
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QWQW
Warning: Hostname (client.testrelm) not found in DNS
Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status -6)
Failed to stop the NSCD daemon
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.

# kinit jennyg
Password for jennyg@QWQW: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# cat /etc/ipa/default.conf 
#File modified by ipa-client-install

[global]
basedn = dc=qwqw
realm = QWQW
domain = testrelm
server = ipaserver.testrelm
xmlrpc_uri = https://ipaserver.testrelm/ipa/xml
enable_ra = True

# cat /etc/sssd/sssd.conf 
[sssd]
services = nss, pam
config_file_version = 2

domains = testrelm
[nss]

[pam]

[domain/testrelm]
cache_credentials = True
krb5_realm = QWQW
ipa_domain = testrelm
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipaserver.testrelm

# cat /etc/krb5.conf
#File modified by ipa-client-install

[libdefaults]
  default_realm = QWQW
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  QWQW = {
    kdc = ipaserver.testrelm:88
    admin_server = ipaserver.testrelm:749
    default_domain = testrelm
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = QWQW
  testrelm = QWQW

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }
Comment 7 errata-xmlrpc 2011-07-21 08:09:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html
Note You need to log in before you can comment on or make changes to this bug.