870278 – ipa client setup should configure host properly in a trust is in place

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 870278 - ipa client setup should configure host properly in a trust is in place

Summary: ipa client setup should configure host properly in a trust is in place

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	881827
TreeView+	depends on / blocked

Reported:	2012-10-26 03:18 UTC by Scott Poore
Modified:	2020-05-02 17:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sssd-1.9.2-14.el6
Doc Type:	Bug Fix
Doc Text:	No Documentation Needed
Clone Of:
Environment:
Last Closed:	2013-02-21 09:38:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2655	0	None	None	None	2020-05-02 17:03:54 UTC
Red Hat Product Errata	RHSA-2013:0508	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 21:30:10 UTC

Description Scott Poore 2012-10-26 03:18:18 UTC

Description of problem:

I would expect that any necessary client install (including via ipa-replica-install) would configure necessary changes when a cross domain trust is in place.

After having to re-configure/re-install a replica, I noticed that /etc/sssd/sssd.conf was missing subdomains_provider line.

ipa-client-install, ipa-replica-install should properly configure client config files for trusts if trusts are enabled for the environemt.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64

How reproducible:
Unknown


Steps to Reproduce:
1.  Install IPA Master and Replica
2.  Install AD Server
3.  Setup trust to AD domain
4.  on replica:  ipa-server-install --uninstall -U
5.  on master: ipa-replica-manage -p PASSWORD del REPLICA --force
6.  on master: ipa-replica-prepare -p PASSWORD --ip-address=REPLICA_IP REPLICA
7.  on replica: sftp MASTER:/var/lib/ipa/replica-info-REPLICA.gpg 
8.  on replica: ipa-replica-install -U --setup-ca --setup-dns --forwarder=DNSFORWARDER -w PASSWORD -p PASSWD replica-info-REPLICA.gpg
  
Actual results:

configs missing.  at the very least /etc/sssd/sssd.conf is missing subdomains_provider = ipa line.

Expected results:

all trust related configs should be handled by ipa install commands.

Additional info:

Comment 2 Martin Kosek 2012-10-26 10:11:17 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3218

Comment 3 Dmitri Pal 2012-10-31 20:16:37 UTC

Moving to SSSD.

Comment 4 Dmitri Pal 2012-10-31 20:21:08 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1613

Comment 6 Steeve Goveas 2013-02-04 11:10:22 UTC

# Server (Replica)

[root@dell-pe1950-03 ~]# kinit admin
Password for admin: 

[root@dell-pe1950-03 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dell-pe1950-03 ~]# ipa-replica-manage list
ibm-x3500m4-01.testrelm.com: master
dell-pe1950-03.testrelm.com: master

# Adding IPA Client to a domain already having trust with AD

[root@wazwan ~]# rpm -q sssd
sssd-1.9.2-82.el6.x86_64

[root@wazwan ~]# cat /etc/sssd/sssd.conf
cat: /etc/sssd/sssd.conf: No such file or directory

[root@wazwan ~]# ipa-client-install
Discovery was successful!
Hostname: wazwan.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: dell-pe1950-03.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Mon Jan 28 12:34:23 2013 UTC
    Valid Until: Fri Jan 28 12:34:23 2033 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://dell-pe1950-03.testrelm.com/ipa/xml
Hostname (wazwan.testrelm.com) not found in DNS
DNS server record set to: wazwan.testrelm.com -> 10.65.201.162
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dell-pe1950-03.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

[root@wazwan ~]# grep id_provider /etc/sssd/sssd.conf
id_provider = ipa

[root@wazwan ~]# ssh -l tuser1 wazwan.testrelm.com
tuser1@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Could not chdir to home directory /home/adlab.qe/tuser1: No such file or directory
-sh-4.1$ 

[root@wazwan ~]# ssh -l tuser1 wazwan.testrelm.com
tuser1@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Creating home directory for tuser1.
Last login: Mon Feb  4 14:30:10 2013 from wazwan.testrelm.com
-sh-4.1$ echo tuser1 > .k5login
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.

[root@wazwan ~]# kinit tuser1
Password for tuser1: 

[root@wazwan ~]# ssh -K -l tuser1 wazwan.testrelm.com
Last login: Mon Feb  4 14:42:20 2013 from wazwan.testrelm.com
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.

# Adding Replica to a Server having Trust with AD

[root@ibm-x3500m4-01 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

* On Replica
[root@rasalghul ~]# kinit admin
Password for admin: 

[root@rasalghul ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

* Installing ipa-adtrust

[root@rasalghul ~]# ipa-adtrust-install -a Secret123

[root@rasalghul ~]# ipactl restart

[root@rasalghul ~]# authconfig --enablemkhomedir --updateall

Shutting down Winbind services:                            [  OK  ]
Stopping sssd:                                             [  OK  ]
Starting oddjobd:                                          [  OK  ]

[root@rasalghul ~]# service sssd status
sssd is stopped

[root@rasalghul ~]# service sssd start
Starting sssd:                                             [  OK  ]

* Checking login from client

[root@wazwan ~]# ssh -l nuser1 rasalghul.testrelm.com
nuser1@rasalghul.testrelm.com's password: 
Your password will expire in 41 day(s).
Creating home directory for nuser1.
Last login: Mon Feb  4 16:31:37 2013 from 10.65.201.162
-sh-4.1$ echo nuser1  > .k5login
-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.

[root@wazwan ~]# kinit nuser1
Password for nuser1: 

[root@wazwan ~]# ssh -K -l nuser1 rasalghul.testrelm.com
Last login: Mon Feb  4 16:33:35 2013 from 10.65.201.162
-sh-4.1$ pwd
/home/adlab.qe/nuser1
-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.

Comment 7 errata-xmlrpc 2013-02-21 09:38:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.