Red Hat Bugzilla – Bug 831010
[RFE] ipa-client-install always adds _srv_ entry to sssd.conf even when server specified.
Last modified: 2013-06-20 13:25:35 EDT
Created attachment 591044 [details] add --fixed-server option to not add _srv_ entry to ipa_server in sssd.conf Description of problem: ipa-client-install always adds _srv_ entry to sssd.conf even when server specified Version-Release number of selected component (if applicable): How reproducible: Create new ipa server in a dns domain that you don't have complete control over, meaning you can't add srv records (or modify current existing windows ad records), so you have to create a separate kerberos realm, say ipa.example.com. ipa-client-install --server=server.example.com --domain -example.com --realm IPA.EXAMPLE.COM Install succeeds, but has an error Unable to find 'admin' user with 'getent passwd admin'! Steps to Reproduce: 1. Install ipa client with above command Actual results: Unable to find 'admin' user with 'getent passwd admin'! Expected results: No errors Additional info:
Created attachment 591045 [details] added extra check to make sure server is specified with --fixed-server option These two patches add a --fixed-server option to ipa-client-install. This specifies that this client connects to a specific ipa server, and not to _srv_ discovered servers. This is helpful in a situation where you don't have control of the dns servers and are sharing a dns domain name with a windows domain.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2841
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/29fd982f7f3bf4b94a8420fdfb307ed9c43c515c --fixed-primary option of ipa-client-install can now be used to omit _srv_ from sssd.conf. Multiple IPA servers can now be also entered in --server option in ipa-client-install which will then set multiple IPA/Kerberos servers in sssd.conf/krb5.conf to improve redundancy.
*** Bug 810793 has been marked as a duplicate of this bug. ***
Since Trusts feature is Tech Preview, this bz will be verified in a non-AD env.
bug verified. test env; 1 standalone dns server 2 ipa server without dns setup 3 ipa client: test for comparison: [root@apple (RH6.4-i386) ~] ipa-client-install --domain=yzhang.redhat.com --server=grape.yzhang.redhat.com --principal=admin --password=Secret123 -U Hostname: apple.yzhang.redhat.com Realm: YZHANG.REDHAT.COM DNS Domain: yzhang.redhat.com IPA Server: grape.yzhang.redhat.com BaseDN: dc=yzhang,dc=redhat,dc=com Synchronizing time with KDC... Enrolled in IPA realm YZHANG.REDHAT.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM trying https://grape.yzhang.redhat.com/ipa/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://grape.yzhang.redhat.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@apple (RH6.4-i386) ~] ipa.group.add.sh create group: [group14785] add user: [testuser22757] append to: [group14785] add user: [testuser15057] append to: [group14785] add user: [testuser29793] append to: [group14785] [group14785] Member users: testuser22757, testuser15057, testuser29793 [root@apple (RH6.4-i386) ~] grep "ipa_server" /etc/sssd/sssd.conf ipa_server = _srv_, grape.yzhang.redhat.com =============== actual test ========= [root@apple (RH6.4-i386) ~] ipa-client-install --domain=yzhang.redhat.com --server=grape.yzhang.redhat.com --principal=admin --password=Secret123 --fixed-primary -U Hostname: apple.yzhang.redhat.com Realm: YZHANG.REDHAT.COM DNS Domain: yzhang.redhat.com IPA Server: grape.yzhang.redhat.com BaseDN: dc=yzhang,dc=redhat,dc=com Synchronizing time with KDC... Enrolled in IPA realm YZHANG.REDHAT.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM trying https://grape.yzhang.redhat.com/ipa/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://grape.yzhang.redhat.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@apple (RH6.4-i386) ~] grep "ipa_server" /etc/sssd/sssd.conf ipa_server = grape.yzhang.redhat.com [root@apple (RH6.4-i386) ~] ipa.kinitas.admin.sh Default principal: admin@YZHANG.REDHAT.COM [root@apple (RH6.4-i386) ~] ipa.group.add.sh create group: [group17143] add user: [testuser8419] append to: [group17143] add user: [testuser9514] append to: [group17143] add user: [testuser3357] append to: [group17143] [group17143] Member users: testuser8419, testuser9514, testuser3357 === what to verify ===== when "--fixed-primary" option used in ipa-client-install, the sssd configuration file /etc/sssd/sssd.conf should NOT contain "_srv_" before actual ipa server value, as below: ipa_server = grape.yzhang.redhat.com when no such option used, /etc/sssd/sssd.conf should have something like; ipa_server = _srv_, grape.yzhang.redhat.com
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html