Red Hat Bugzilla – Bug 870278
ipa client setup should configure host properly in a trust is in place
Last modified: 2014-09-18 08:41:14 EDT
Description of problem: I would expect that any necessary client install (including via ipa-replica-install) would configure necessary changes when a cross domain trust is in place. After having to re-configure/re-install a replica, I noticed that /etc/sssd/sssd.conf was missing subdomains_provider line. ipa-client-install, ipa-replica-install should properly configure client config files for trusts if trusts are enabled for the environemt. Version-Release number of selected component (if applicable): ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 How reproducible: Unknown Steps to Reproduce: 1. Install IPA Master and Replica 2. Install AD Server 3. Setup trust to AD domain 4. on replica: ipa-server-install --uninstall -U 5. on master: ipa-replica-manage -p PASSWORD del REPLICA --force 6. on master: ipa-replica-prepare -p PASSWORD --ip-address=REPLICA_IP REPLICA 7. on replica: sftp MASTER:/var/lib/ipa/replica-info-REPLICA.gpg 8. on replica: ipa-replica-install -U --setup-ca --setup-dns --forwarder=DNSFORWARDER -w PASSWORD -p PASSWD replica-info-REPLICA.gpg Actual results: configs missing. at the very least /etc/sssd/sssd.conf is missing subdomains_provider = ipa line. Expected results: all trust related configs should be handled by ipa install commands. Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3218
Moving to SSSD.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1613
# Server (Replica) [root@dell-pe1950-03 ~]# kinit admin Password for admin@TESTRELM.COM: [root@dell-pe1950-03 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@dell-pe1950-03 ~]# ipa-replica-manage list ibm-x3500m4-01.testrelm.com: master dell-pe1950-03.testrelm.com: master # Adding IPA Client to a domain already having trust with AD [root@wazwan ~]# rpm -q sssd sssd-1.9.2-82.el6.x86_64 [root@wazwan ~]# cat /etc/sssd/sssd.conf cat: /etc/sssd/sssd.conf: No such file or directory [root@wazwan ~]# ipa-client-install Discovery was successful! Hostname: wazwan.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: dell-pe1950-03.testrelm.com BaseDN: dc=testrelm,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@TESTRELM.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.COM Issuer: CN=Certificate Authority,O=TESTRELM.COM Valid From: Mon Jan 28 12:34:23 2013 UTC Valid Until: Fri Jan 28 12:34:23 2033 UTC Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM trying https://dell-pe1950-03.testrelm.com/ipa/xml Hostname (wazwan.testrelm.com) not found in DNS DNS server record set to: wazwan.testrelm.com -> 10.65.201.162 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://dell-pe1950-03.testrelm.com/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@wazwan ~]# grep id_provider /etc/sssd/sssd.conf id_provider = ipa [root@wazwan ~]# ssh -l tuser1@adlab.qe wazwan.testrelm.com tuser1@adlab.qe@wazwan.testrelm.com's password: Your password will expire in 37 day(s). Could not chdir to home directory /home/adlab.qe/tuser1: No such file or directory -sh-4.1$ [root@wazwan ~]# ssh -l tuser1@adlab.qe wazwan.testrelm.com tuser1@adlab.qe@wazwan.testrelm.com's password: Your password will expire in 37 day(s). Creating home directory for tuser1@adlab.qe. Last login: Mon Feb 4 14:30:10 2013 from wazwan.testrelm.com -sh-4.1$ echo tuser1@ADLAB.QE > .k5login -sh-4.1$ logout Connection to wazwan.testrelm.com closed. [root@wazwan ~]# kinit tuser1@ADLAB.QE Password for tuser1@ADLAB.QE: [root@wazwan ~]# ssh -K -l tuser1@adlab.qe wazwan.testrelm.com Last login: Mon Feb 4 14:42:20 2013 from wazwan.testrelm.com -sh-4.1$ logout Connection to wazwan.testrelm.com closed. # Adding Replica to a Server having Trust with AD [root@ibm-x3500m4-01 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- * On Replica [root@rasalghul ~]# kinit admin Password for admin@TESTRELM.COM: [root@rasalghul ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- * Installing ipa-adtrust [root@rasalghul ~]# ipa-adtrust-install -a Secret123 [root@rasalghul ~]# ipactl restart [root@rasalghul ~]# authconfig --enablemkhomedir --updateall Shutting down Winbind services: [ OK ] Stopping sssd: [ OK ] Starting oddjobd: [ OK ] [root@rasalghul ~]# service sssd status sssd is stopped [root@rasalghul ~]# service sssd start Starting sssd: [ OK ] * Checking login from client [root@wazwan ~]# ssh -l nuser1@adlab.qe rasalghul.testrelm.com nuser1@adlab.qe@rasalghul.testrelm.com's password: Your password will expire in 41 day(s). Creating home directory for nuser1@adlab.qe. Last login: Mon Feb 4 16:31:37 2013 from 10.65.201.162 -sh-4.1$ echo nuser1@ADLAB.QE > .k5login -sh-4.1$ logout Connection to rasalghul.testrelm.com closed. [root@wazwan ~]# kinit nuser1@ADLAB.QE Password for nuser1@ADLAB.QE: [root@wazwan ~]# ssh -K -l nuser1@adlab.qe rasalghul.testrelm.com Last login: Mon Feb 4 16:33:35 2013 from 10.65.201.162 -sh-4.1$ pwd /home/adlab.qe/nuser1 -sh-4.1$ logout Connection to rasalghul.testrelm.com closed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html