RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 870280 - ipa reconfigure functionality needed for fixing clients to support trusts
Summary: ipa reconfigure functionality needed for fixing clients to support trusts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-26 03:24 UTC by Scott Poore
Modified: 2020-05-04 10:33 UTC (History)
5 users (show)

Fixed In Version: sssd-1.9.2-12.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Clone Of:
Environment:
Last Closed: 2013-02-21 09:38:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2655 0 None None None 2020-05-04 10:33:47 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Scott Poore 2012-10-26 03:24:07 UTC
Description of problem:

We need a script or command functionality to support reconfiguring IPA clients to support trusts.

At the moment some of the configs for a client need to be modified for existing IPA clients to support trusts completely.

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64

How reproducible:
very

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Client
3.  Install AD Server
4.  Setup a trust 

  
Actual results:
At this point have to update configs manually to support trusts.  

/etc/krb5.conf and /etc/sssd/sssd.conf need changes.

Expected results:


Additional info:

Comment 2 Martin Kosek 2012-10-26 08:42:45 UTC
Note: this effort could be incorporated into ipa-client-upgrade script, RFE in ticket #3149: https://fedorahosted.org/freeipa/ticket/3149

Comment 3 Dmitri Pal 2012-10-29 23:27:28 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3225

Comment 4 Martin Kosek 2012-11-13 09:56:40 UTC
Ticket #3225 was closed upstream as this whole issue will be taken care of in sssd component. Scott, do you want to leave this Bug open in ipa component to EQ-verify it or should we change the component to sssd?

Comment 5 Scott Poore 2012-11-13 14:06:19 UTC
I suppose we should change that to sssd.

What about any krb5.conf client side changes?  What would handle setting/resetting options there for clients?  

Thanks,
Scott

Comment 7 Jakub Hrozek 2012-11-13 15:14:37 UTC
The SSSD has no means to configure krb5.conf.

What exactly is the scope of the ticket? What is the difference between this bugzilla and #870278 ?

Comment 8 Scott Poore 2012-11-13 20:05:27 UTC
The original intention of both was to try to cover overall IPA client configuration/reconfiguration for any changes necessary to support in place trusts.  I'm not sure what the best way to handle these two bugs really is.  I guess this could need to be split up? 

bug #870278 is intended for new client installs if a trust is already in place while this one is intended for existing installs where a trust is added after client install.

Comment 9 Jakub Hrozek 2012-11-14 08:52:10 UTC
OK, as I discussed with Sumit and Dmitri in a separate mail thread, the patches Sumit has for bug #870278 would cover both cases.

Comment 11 Steeve Goveas 2013-02-01 17:33:12 UTC
# Replica already existed before establishing trust

[root@dell-pe1950-03 ~]# ipa-adtrust-install -a Secret123

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.


The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
Samba domain object already exists
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [8/18]: adding RID bases
RID bases already set, nothing to do
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
Fallback group already set, nothing to do
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
	TCP Ports:
	  * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================

[root@dell-pe1950-03 ~]# ssh -l fuser dell-pe1950-03.testrelm.com
fuser@dell-pe1950-03.testrelm.com's password: 
Your password will expire in 40 day(s).
Last login: Fri Feb  1 20:26:09 2013 from dell-pe1950-03.testrelm.com
Could not chdir to home directory /home/adlab.qe/fuser: No such file or directory
-sh-4.1$ logout

[root@dell-pe1950-03 ~]# cat /etc/krb5.conf
.
.
[realms]
..
  auth_to_local = RULE:[1:$1@$0](^.*@ADLAB.QE$)s/@ADLAB.QE/@adlab.qe/
  auth_to_local = DEFAULT
}

[root@dell-pe1950-03 ~]# kinit fuser
Password for fuser: 

[root@dell-pe1950-03 ~]# ssh -K -l fuser dell-pe1950-03.testrelm.com
Could not chdir to home directory /home/adlab.qe/fuser: No such file or directory
-sh-4.1$ logout

Comment 12 Steeve Goveas 2013-02-04 15:58:59 UTC
# Existing client before adding trust with AD

* On Server

[root@wazwan ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password
Active directory domain administrator's password: 
-------------------------------------------------
Added Active Directory trust for realm "adlab.qe"
-------------------------------------------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

* On Client

[root@wazwan ~]# grep id_provider /etc/sssd/sssd.conf
id_provider = ipa

[root@wazwan ~]# ssh -l fuser wazwan.testrelm.com
fuser@wazwan.testrelm.com's password: 
Your password will expire in 37 day(s).
Last login: Mon Feb  4 15:04:06 2013 from wazwan.testrelm.com
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.
[root@wazwan ~]# kinit fuser
Password for fuser: 

[root@wazwan ~]# ssh -K -l fuser wazwan.testrelm.com
Last login: Mon Feb  4 21:18:42 2013 from wazwan.testrelm.com
-sh-4.1$ cat .k5login 
fuser
-sh-4.1$ logout
Connection to wazwan.testrelm.com closed.


Verified in version
[root@wazwan ~]# rpm -qa | grep ipa-server
ipa-server-trust-ad-3.0.0-25.el6.x86_64
ipa-server-selinux-3.0.0-25.el6.x86_64
ipa-server-3.0.0-25.el6.x86_64

Comment 13 errata-xmlrpc 2013-02-21 09:38:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html


Note You need to log in before you can comment on or make changes to this bug.