Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 870278

Summary: ipa client setup should configure host properly in a trust is in place
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dpal, grajaiya, jgalipea, mkosek, nsoman, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-14.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:38:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Scott Poore 2012-10-26 03:18:18 UTC 
Description of problem:

I would expect that any necessary client install (including via ipa-replica-install) would configure necessary changes when a cross domain trust is in place.

After having to re-configure/re-install a replica, I noticed that /etc/sssd/sssd.conf was missing subdomains_provider line.

ipa-client-install, ipa-replica-install should properly configure client config files for trusts if trusts are enabled for the environemt.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64

How reproducible:
Unknown


Steps to Reproduce:
1.  Install IPA Master and Replica
2.  Install AD Server
3.  Setup trust to AD domain
4.  on replica:  ipa-server-install --uninstall -U
5.  on master: ipa-replica-manage -p PASSWORD del REPLICA --force
6.  on master: ipa-replica-prepare -p PASSWORD --ip-address=REPLICA_IP REPLICA
7.  on replica: sftp MASTER:/var/lib/ipa/replica-info-REPLICA.gpg 
8.  on replica: ipa-replica-install -U --setup-ca --setup-dns --forwarder=DNSFORWARDER -w PASSWORD -p PASSWD replica-info-REPLICA.gpg
  
Actual results:

configs missing.  at the very least /etc/sssd/sssd.conf is missing subdomains_provider = ipa line.

Expected results:

all trust related configs should be handled by ipa install commands.

Additional info:
Comment 2 Martin Kosek 2012-10-26 10:11:17 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3218
Comment 3 Dmitri Pal 2012-10-31 20:16:37 UTC 
Moving to SSSD.
Comment 4 Dmitri Pal 2012-10-31 20:21:08 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1613
Comment 6 Steeve Goveas 2013-02-04 11:10:22 UTC 
# Server (Replica)

[root@dell-pe1950-03 ~]# kinit admin
Password for admin: 

[root@dell-pe1950-03 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dell-pe1950-03 ~]# ipa-replica-manage list
ibm-x3500m4-01.testrelm.com: master
dell-pe1950-03.testrelm.com: master

# Adding IPA Client to a domain already having trust with AD

[root@wazwan ~]# rpm -q sssd
sssd-1.9.2-82.el6.x86_64

[root@wazwan ~]# cat /etc/sssd/sssd.conf
cat: /etc/sssd/sssd.conf: No such file or directory

[root@wazwan ~]# ipa-client-install
Discovery was successful!
Hostname: wazwan.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: dell-pe1950-03.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Mon Jan 28 12:34:23 2013 UTC
    Valid Until: Fri Jan 28 12:34:23 2033 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://dell-pe1950-03.testrelm.com/ipa/xml
Hostname (wazwan.testrelm.com) not found in DNS
DNS server record set to: wazwan.testrelm.com -> 10.65.201.162
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dell-pe1950-03.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

[root@wazwan ~]# grep id_provider /etc/sssd/sssd.conf
id_provider = ipa

[root@wazwan ~]# ssh -l tuser1 wazwan.testrelm.com
tuser1@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Could not chdir to home directory /home/adlab.qe/tuser1: No such file or directory
-sh-4.1$ 

[root@wazwan ~]# ssh -l tuser1 wazwan.testrelm.com
tuser1@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Creating home directory for tuser1.
Last login: Mon Feb  4 14:30:10 2013 from wazwan.testrelm.com
-sh-4.1$ echo tuser1 > .k5login
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.

[root@wazwan ~]# kinit tuser1
Password for tuser1: 

[root@wazwan ~]# ssh -K -l tuser1 wazwan.testrelm.com
Last login: Mon Feb  4 14:42:20 2013 from wazwan.testrelm.com
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.

# Adding Replica to a Server having Trust with AD

[root@ibm-x3500m4-01 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

* On Replica
[root@rasalghul ~]# kinit admin
Password for admin: 

[root@rasalghul ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

* Installing ipa-adtrust

[root@rasalghul ~]# ipa-adtrust-install -a Secret123

[root@rasalghul ~]# ipactl restart

[root@rasalghul ~]# authconfig --enablemkhomedir --updateall

Shutting down Winbind services:                            [  OK  ]
Stopping sssd:                                             [  OK  ]
Starting oddjobd:                                          [  OK  ]

[root@rasalghul ~]# service sssd status
sssd is stopped

[root@rasalghul ~]# service sssd start
Starting sssd:                                             [  OK  ]

* Checking login from client

[root@wazwan ~]# ssh -l nuser1 rasalghul.testrelm.com
nuser1@rasalghul.testrelm.com's password: 
Your password will expire in 41 day(s).
Creating home directory for nuser1.
Last login: Mon Feb  4 16:31:37 2013 from 10.65.201.162
-sh-4.1$ echo nuser1  > .k5login
-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.

[root@wazwan ~]# kinit nuser1
Password for nuser1: 

[root@wazwan ~]# ssh -K -l nuser1 rasalghul.testrelm.com
Last login: Mon Feb  4 16:33:35 2013 from 10.65.201.162
-sh-4.1$ pwd
/home/adlab.qe/nuser1
-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.
Comment 7 errata-xmlrpc 2013-02-21 09:38:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html