Red Hat Bugzilla – Bug 867447
ipa-adtrust-install does not reset all information when re-run
Last modified: 2015-05-13 03:06:32 EDT
Description of problem: When changing the NetBIOS name of the IPA domain, ipa-adtrust-install missed changing one object (ipaNTFlatName): [root@f18-1 ~]# ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters and digits are allowed. Example: EXAMPLE. NetBIOS domain name [TESTRELM]: Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: ...output truncated... [root@f18-1 ~]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket objectclass=ipaNTDomainAttrs SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <dc=testrelm,dc=com> (default) with scope subtree # filter: objectclass=ipaNTDomainAttrs # requesting: ALL # # testrelm.com, ad, etc, testrelm.com dn: cn=testrelm.com,cn=ad,cn=etc,dc=testrelm,dc=com ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,dc=testr elm,dc=com objectClass: ipaNTDomainAttrs objectClass: nsContainer objectClass: top ipaNTSecurityIdentifier: S-1-5-21-2925033745-151447840-2997953556 ipaNTFlatName: ADTESTDOM ipaNTDomainGUID: b6f2eca8-01a0-4041-aac6-58446c934b13 cn: testrelm.com # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install IPA Master 2. Install AD Server 3. run ipa-adtrust-install with one NetBIOS name 4. re-run ipa-adtrust-install with new NetBIOS name 5. ldapsearch -H ldapi://%2fvar%2frun%2fslapd-<INSTANCE_NAME>.socket objectclass=ipaNTDomainAttrs Actual results: Shows original NetBIOS name, not new one. Expected results: Shows new NetBIOS name. Additional info: To workaround this, ldapmodify object like this: ldapmodify -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-DOM.socket << EOF dn: cn=testrelm.com,cn=ad,cn=etc,dc=testrelm,dc=com changetype: modify replace: ipaNTFlatName ipaNTFlatName: TESTRELM EOF
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3192
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/b204881ab989aa8287897711358189b687fb3996 ipa-3-0: https://fedorahosted.org/freeipa/changeset/349ab5150e30456ef6a36d5ca1e002b405b3c149
Verified. Version :: ipa-server-trust-ad-3.0.0-8.el6.x86_64 Manual Test Results :: [root@rhel6-1 log]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket objectclass=ipaNTDomainAttrs| grep -i ipaNTFlatName SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ipaNTFlatName: TESTRELM ^^^^^^^^^ [root@rhel6-1 log]# ipa-adtrust-install --netbios-name=TEST2 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: Current NetBIOS domain name is TESTRELM, new name is TEST2. Please note that changing the NetBIOS name might break existing trust relationships. Say 'yes' if the NetBIOS shall be changed and 'no' if the old one shall be kept. Do you want to reset the NetBIOS domain name? [no]: yes Configuring CIFS [1/18]: stopping smbd [2/18]: creating samba domain object Reset NetBIOS domain name [3/18]: creating samba config registry [4/18]: writing samba config file [5/18]: adding cifs Kerberos principal [6/18]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [7/18]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [8/18]: adding RID bases RID bases already set, nothing to do [9/18]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [10/18]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [11/18]: activating sidgen plugin and task Sidgen plugin already configured, nothing to do Sidgen task plugin already configured, nothing to do [12/18]: activating extdom plugin Extdom plugin already configured, nothing to do [13/18]: configuring smbd to start on boot [14/18]: adding special DNS service records [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [16/18]: adding fallback group Fallback group already set, nothing to do [17/18]: setting SELinux booleans [18/18]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [root@rhel6-1 log]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket objectclass=ipaNTDomainAttrs| grep -i ipaNTFlatName SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ipaNTFlatName: TEST2 ^^^^^^^^^
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html