Red Hat Bugzilla – Bug 870280
ipa reconfigure functionality needed for fixing clients to support trusts
Last modified: 2013-02-21 04:38:57 EST
Description of problem: We need a script or command functionality to support reconfiguring IPA clients to support trusts. At the moment some of the configs for a client need to be modified for existing IPA clients to support trusts completely. Version-Release number of selected component (if applicable): ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 How reproducible: very Steps to Reproduce: 1. Install IPA Master 2. Install IPA Client 3. Install AD Server 4. Setup a trust Actual results: At this point have to update configs manually to support trusts. /etc/krb5.conf and /etc/sssd/sssd.conf need changes. Expected results: Additional info:
Note: this effort could be incorporated into ipa-client-upgrade script, RFE in ticket #3149: https://fedorahosted.org/freeipa/ticket/3149
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3225
Ticket #3225 was closed upstream as this whole issue will be taken care of in sssd component. Scott, do you want to leave this Bug open in ipa component to EQ-verify it or should we change the component to sssd?
I suppose we should change that to sssd. What about any krb5.conf client side changes? What would handle setting/resetting options there for clients? Thanks, Scott
The SSSD has no means to configure krb5.conf. What exactly is the scope of the ticket? What is the difference between this bugzilla and #870278 ?
The original intention of both was to try to cover overall IPA client configuration/reconfiguration for any changes necessary to support in place trusts. I'm not sure what the best way to handle these two bugs really is. I guess this could need to be split up? bug #870278 is intended for new client installs if a trust is already in place while this one is intended for existing installs where a trust is added after client install.
OK, as I discussed with Sumit and Dmitri in a separate mail thread, the patches Sumit has for bug #870278 would cover both cases.
# Replica already existed before establishing trust [root@dell-pe1950-03 ~]# ipa-adtrust-install -a Secret123 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/18]: stopping smbd [2/18]: creating samba domain object Samba domain object already exists [3/18]: creating samba config registry [4/18]: writing samba config file [5/18]: adding cifs Kerberos principal [6/18]: adding cifs principal to S4U2Proxy targets [7/18]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [8/18]: adding RID bases RID bases already set, nothing to do [9/18]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [10/18]: activating CLDAP plugin [11/18]: activating sidgen plugin and task [12/18]: activating extdom plugin [13/18]: configuring smbd to start on boot [14/18]: adding special DNS service records [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [16/18]: adding fallback group Fallback group already set, nothing to do [17/18]: setting SELinux booleans [18/18]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [root@dell-pe1950-03 ~]# ssh -l fuser@adlab.qe dell-pe1950-03.testrelm.com fuser@adlab.qe@dell-pe1950-03.testrelm.com's password: Your password will expire in 40 day(s). Last login: Fri Feb 1 20:26:09 2013 from dell-pe1950-03.testrelm.com Could not chdir to home directory /home/adlab.qe/fuser: No such file or directory -sh-4.1$ logout [root@dell-pe1950-03 ~]# cat /etc/krb5.conf . . [realms] .. auth_to_local = RULE:[1:$1@$0](^.*@ADLAB.QE$)s/@ADLAB.QE/@adlab.qe/ auth_to_local = DEFAULT } [root@dell-pe1950-03 ~]# kinit fuser@ADLAB.QE Password for fuser@ADLAB.QE: [root@dell-pe1950-03 ~]# ssh -K -l fuser@adlab.qe dell-pe1950-03.testrelm.com Could not chdir to home directory /home/adlab.qe/fuser: No such file or directory -sh-4.1$ logout
# Existing client before adding trust with AD * On Server [root@wazwan ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password Active directory domain administrator's password: ------------------------------------------------- Added Active Directory trust for realm "adlab.qe" ------------------------------------------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified * On Client [root@wazwan ~]# grep id_provider /etc/sssd/sssd.conf id_provider = ipa [root@wazwan ~]# ssh -l fuser@adlab.qe wazwan.testrelm.com fuser@adlab.qe@wazwan.testrelm.com's password: Your password will expire in 37 day(s). Last login: Mon Feb 4 15:04:06 2013 from wazwan.testrelm.com -sh-4.1$ logout Connection to wazwan.testrelm.com closed. [root@wazwan ~]# kinit fuser@ADLAB.QE Password for fuser@ADLAB.QE: [root@wazwan ~]# ssh -K -l fuser@adlab.qe wazwan.testrelm.com Last login: Mon Feb 4 21:18:42 2013 from wazwan.testrelm.com -sh-4.1$ cat .k5login fuser@ADLAB.QE -sh-4.1$ logout Connection to wazwan.testrelm.com closed. Verified in version [root@wazwan ~]# rpm -qa | grep ipa-server ipa-server-trust-ad-3.0.0-25.el6.x86_64 ipa-server-selinux-3.0.0-25.el6.x86_64 ipa-server-3.0.0-25.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html