RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 867447 - ipa-adtrust-install does not reset all information when re-run
Summary: ipa-adtrust-install does not reset all information when re-run
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-17 14:25 UTC by Scott Poore
Modified: 2015-05-13 07:06 UTC (History)
2 users (show)

Fixed In Version: ipa-3.0.0-8.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 09:28:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 0 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Scott Poore 2012-10-17 14:25:39 UTC 
Description of problem:

When changing the NetBIOS name of the IPA domain, ipa-adtrust-install missed changing one object (ipaNTFlatName):

[root@f18-1 ~]# ipa-adtrust-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters and digits are allowed.
Example: EXAMPLE.

NetBIOS domain name [TESTRELM]: 

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password: 
...output truncated...

[root@f18-1 ~]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket objectclass=ipaNTDomainAttrs
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=testrelm,dc=com> (default) with scope subtree
# filter: objectclass=ipaNTDomainAttrs
# requesting: ALL
#

# testrelm.com, ad, etc, testrelm.com
dn: cn=testrelm.com,cn=ad,cn=etc,dc=testrelm,dc=com
ipaNTFallbackPrimaryGroup: cn=Default SMB Group,cn=groups,cn=accounts,dc=testr
 elm,dc=com
objectClass: ipaNTDomainAttrs
objectClass: nsContainer
objectClass: top
ipaNTSecurityIdentifier: S-1-5-21-2925033745-151447840-2997953556
ipaNTFlatName: ADTESTDOM
ipaNTDomainGUID: b6f2eca8-01a0-4041-aac6-58446c934b13
cn: testrelm.com

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install IPA Master
2. Install AD Server
3. run ipa-adtrust-install with one NetBIOS name
4. re-run ipa-adtrust-install with new NetBIOS name
5. ldapsearch -H ldapi://%2fvar%2frun%2fslapd-<INSTANCE_NAME>.socket objectclass=ipaNTDomainAttrs
  
Actual results:

Shows original NetBIOS name, not new one.

Expected results:

Shows new NetBIOS name.

Additional info:

To workaround this, ldapmodify object like this:

ldapmodify -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-DOM.socket << EOF
dn: cn=testrelm.com,cn=ad,cn=etc,dc=testrelm,dc=com
changetype: modify
replace: ipaNTFlatName
ipaNTFlatName: TESTRELM

EOF
Comment 1 Martin Kosek 2012-10-19 07:22:15 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3192
Comment 2 Martin Kosek 2012-11-08 07:19:16 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/b204881ab989aa8287897711358189b687fb3996
ipa-3-0: https://fedorahosted.org/freeipa/changeset/349ab5150e30456ef6a36d5ca1e002b405b3c149
Comment 4 Scott Poore 2012-11-13 01:35:24 UTC 
Verified.

Version ::

ipa-server-trust-ad-3.0.0-8.el6.x86_64

Manual Test Results ::

[root@rhel6-1 log]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket objectclass=ipaNTDomainAttrs| grep -i ipaNTFlatName
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ipaNTFlatName: TESTRELM
               ^^^^^^^^^

[root@rhel6-1 log]# ipa-adtrust-install --netbios-name=TEST2

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password: 

Current NetBIOS domain name is TESTRELM, new name is TEST2.

Please note that changing the NetBIOS name might break existing trust relationships.
Say 'yes' if the NetBIOS shall be changed and 'no' if the old one shall be kept.
Do you want to reset the NetBIOS domain name? [no]: yes
Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
Reset NetBIOS domain name
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
  [7/18]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [8/18]: adding RID bases
RID bases already set, nothing to do
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
  [11/18]: activating sidgen plugin and task
Sidgen plugin already configured, nothing to do
Sidgen task plugin already configured, nothing to do
  [12/18]: activating extdom plugin
Extdom plugin already configured, nothing to do
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
Fallback group already set, nothing to do
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
	TCP Ports:
	  * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================

[root@rhel6-1 log]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-COM.socket objectclass=ipaNTDomainAttrs| grep -i ipaNTFlatName
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ipaNTFlatName: TEST2
               ^^^^^^^^^
Comment 7 errata-xmlrpc 2013-02-21 09:28:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.