878288 – IPA users are not available after ipa-server-install because sssd not running

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 878288 - IPA users are not available after ipa-server-install because sssd not running

Summary: IPA users are not available after ipa-server-install because sssd not running

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	886216
TreeView+	depends on / blocked

Reported:	2012-11-20 03:24 UTC by Scott Poore
Modified:	2015-05-12 10:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-3.0.0-10.el6
Doc Type:	Known Issue
Doc Text:	When attempting to set up a trust to Active Directory, running the 'ipa- trust-add' command fails with the following error message: ERROR: Insufficient access: CIFS server denied your credentials To work around this problem, restart the sssd daemon before adding the trust.
Clone Of:
Environment:
Last Closed:	2013-02-21 09:30:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	0	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 08:22:21 UTC

Description Scott Poore 2012-11-20 03:24:44 UTC

Description of problem:

Trying to add a trust to IPA results in failure for latest RHEL6.4 tests.  

[root@rhel6-1 samba]# echo $ADMINPW|ipa trust-add $ADDOMAIN --admin Administrator --password
ipa: ERROR: Insufficient access: CIFS server denied your credentials


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-8.el6.x86_64
krb5-server-1.10.3-6.el6.x86_64
samba4-4.0.0-46.el6.rc4.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Install IPA Server
2. Install AD Server
3. ipa-adtrust-install
4. ipa trust-add <ad-domain> --admin Administrator --password
  
Actual results:
Fails like above

Expected results:
Sets up Trust to AD.

Additional info:

[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD \
>   --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW \
>   --ip-address=$ipaddr -P $ADMINPW -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel6-1.testrelm.com

Warning: hostname rhel6-1.testrelm.com does not match system hostname rhel6-1.example.com.
System hostname will be updated during the installation process
to prevent service failures.

Adding [192.168.122.61 rhel6-1.testrelm.com] to your /etc/hosts file
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel6-1.testrelm.com
IP address:    192.168.122.61
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/37]: creating directory server user
  [2/37]: creating directory server instance
  [3/37]: adding default schema
  [4/37]: enabling memberof plugin
  [5/37]: enabling winsync plugin
  [6/37]: configuring replication version plugin
  [7/37]: enabling IPA enrollment plugin
  [8/37]: enabling ldapi
  [9/37]: disabling betxn plugins
  [10/37]: configuring uniqueness plugin
  [11/37]: configuring uuid plugin
  [12/37]: configuring modrdn plugin
  [13/37]: enabling entryUSN plugin
  [14/37]: configuring lockout plugin
  [15/37]: creating indices
  [16/37]: enabling referential integrity plugin
  [17/37]: configuring ssl for ds instance
  [18/37]: configuring certmap.conf
  [19/37]: configure autobind for root
  [20/37]: configure new location for managed entries
  [21/37]: restarting directory server
  [22/37]: adding default layout
  [23/37]: adding delegation layout
  [24/37]: adding replication acis
  [25/37]: creating container for managed entries
  [26/37]: configuring user private groups
  [27/37]: configuring netgroups from hostgroups
  [28/37]: creating default Sudo bind user
  [29/37]: creating default Auto Member layout
  [30/37]: adding range check plugin
  [31/37]: creating default HBAC rule allow_all
  [32/37]: initializing group membership
  [33/37]: adding master entry
  [34/37]: configuring Posix uid/gid generation
  [35/37]: enabling compatibility plugin
  [36/37]: tuning directory server
  [37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@rhel6-1 ~]# chkconfig iptables off

[root@rhel6-1 ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[root@rhel6-1 ~]# chkconfig ip6tables off

[root@rhel6-1 ~]# service ip6tables stop
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]

[root@rhel6-1 ~]# ipa-adtrust-install --netbios-name=$(echo $RELM|cut -f1 -d.) \
>   -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
  [8/18]: adding RID bases
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
	TCP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 445: microsoft-ds
	UDP Ports:
	  * 138: netbios-dgm
	  * 139: netbios-ssn
	  * 389: (C)LDAP
	  * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
	TCP Ports:
	  * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================


[root@rhel6-1 ~]# echo $ADMINPW|kinit admin
Password for admin: 

[root@rhel6-1 ~]# ipa dnszone-add $ADDOMAIN --name-server=$ADSERVER \
>   --admin-email="hostmaster@$ADDOMAIN" --force  \
>   --forwarder=$ADSERVERIP --forward-policy=only
  Zone name: adtestdom.com
  Authoritative nameserver: w2k8r2-1.adtestdom.com
  Administrator e-mail address: hostmaster.adtestdom.com.
  SOA serial: 1353379281
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant
                      TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 192.168.122.21
  Forward policy: only

[root@rhel6-1 ~]# ipa trust-add $ADDOMAIN --admin Administrator --password
Active directory domain administrator's password: 
ipa: ERROR: Insufficient access: CIFS server denied your credentials

[root@rhel6-1 ~]# chkconfig iptables off

[root@rhel6-1 ~]# service iptables stop

[root@rhel6-1 ~]# chkconfig ip6tables off

[root@rhel6-1 ~]# service ip6tables stop

[root@rhel6-1 ~]# ipa trust-add $ADDOMAIN --admin Administrator --password
Active directory domain administrator's password: 
ipa: ERROR: Insufficient access: CIFS server denied your credentials

FROM /var/log/samba/log.192.168.122.61:

[2012/11/19 22:21:57.954944,  1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username TESTRELM\admin is invalid on this system
[2012/11/19 22:21:57.955029,  1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2012/11/19 22:21:57.955098,  1] ../source3/smbd/sesssetup.c:275(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED
[2012/11/19 22:21:58.021609,  1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username TESTRELM\admin is invalid on this system
[2012/11/19 22:21:58.021692,  1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2012/11/19 22:21:58.021761,  1] ../source3/smbd/sesssetup.c:275(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED

FROM /var/log/krb5kdc.log:

Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18 tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com for ldap/rhel6-1.testrelm.com
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ... CONSTRAINED-DELEGATION s4u-client=admin
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18 tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com for cifs/rhel6-1.testrelm.com
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ... CONSTRAINED-DELEGATION s4u-client=admin
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18 tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com for cifs/rhel6-1.testrelm.com
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ... CONSTRAINED-DELEGATION s4u-client=admin
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10

Comment 2 Sumit Bose 2012-11-20 08:05:23 UTC

The reason is "Username TESTRELM\admin is invalid on this system", i.e. smbd cannot resolve the IPA admin user. There might be several issues leading to this.

Since you are not mentioning that you add config options to sssd.conf I assume you  are running one of the latest sssd versions, where the subdomains provider and the PAc responder are started automatically if ip_provider=ipa is configured. Can you check if this is really the case by checking that sssd_pac process is running?

If this is that case I assume that the sssd subdomain provider is in a timeout period where is does not check for subdomains. This timeout period was added to make the subdomain provider well behaved in case where no trust is configured on the IPA server, i.e. does not make too many useless subdomain related lookups on the server. To test this please run the test again, but restart sssd after ipa-adtrust-install is run.

If the test is successful, please change the component of the ticket to sssd and rename it to 'IPA subdomains provider shall allow lookups after reconnect'. Currently the timeout period is reset when sssd goes online, but is looks that in your test the restart of the IPA directory server does not trigger an offline-online cycle, but only a reconnect.

Comment 3 Sumit Bose 2012-11-20 12:17:53 UTC

Sorry, looks like my assumption in comment 2 is not the issue here. Steeve was so kind to re-run your test and found the sssd is not running at all after ipa-server-install. I think it is realated to to the change in https://bugzilla.redhat.com/show_bug.cgi?id=874527 .

Looks like a restart of sssd must be added to ipa-client-install.

Comment 4 Rob Crittenden 2012-11-20 13:14:23 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3267

Comment 5 Scott Poore 2012-11-20 15:31:15 UTC

Yep, that's what I see on the server I used to post this bug:

[root@rhel6-1 ~]# ps -ef|grep sssd
root     30192 30174  0 10:26 pts/0    00:00:00 grep sssd

[root@rhel6-1 ~]# service sssd restart
Stopping sssd: cat: /var/run/sssd.pid: No such file or directory
                                                           [FAILED]
Starting sssd:                                             [  OK  ]


[root@rhel6-1 ~]# echo <PASSWORD>|ipa trust-add adtestdom.com --admin Administrator --password
------------------------------------------------------
Added Active Directory trust for realm "adtestdom.com"
------------------------------------------------------
  Realm name: adtestdom.com
  Domain NetBIOS name: ADTESTDOM
  Domain Security Identifier: S-1-5-21-1246088475-3077293710-2580964704
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

Comment 6 Scott Poore 2012-11-20 16:55:55 UTC

Ok, removing TestBlocker keyword because we have a workaround here of restarting sssd before adding the trust.

Comment 7 Scott Poore 2012-11-27 18:22:54 UTC

So, is ipa-client-install going to get updated to fix this?

Comment 8 Rob Crittenden 2012-11-27 18:28:41 UTC

That's the plan.

Comment 9 Scott Poore 2012-11-28 18:26:54 UTC

Bug summary changed to be more descriptive of overall issue seen.  

It should be noted that we've also seen that issue cause ipa-replica-install to fail during the ipa-replica-conncheck when it tries to ssh as admin to the IPA master.  Starting sssd on the IPA master fixes that issue.

Comment 10 Scott Poore 2012-11-30 20:13:19 UTC

Updating summary to include because sssd not running to make it even easier to understand at a glance.

Also, adding Regression keyword as it will be seen that way to end users seeing this unexpected failure.

Comment 12 Rob Crittenden 2012-12-03 20:37:55 UTC

Fixed upstream.

master: a45125f78db5d95b3d0dd000cf6af0ef4444f9a0

ipa-3-0: 3ea6c53a44f5d7a25b0274ad384d445739f85203

Restart sssd after authconfig update Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation.

Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here.

Comment 14 Scott Poore 2012-12-05 17:25:36 UTC

Verified.

Version ::

ipa-client-3.0.0-10.el6.x86_64

Manual Test Results ::

[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel6-1.testrelm.com
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel6-1.testrelm.com
IP address:    192.168.122.61
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/37]: creating directory server user
  [2/37]: creating directory server instance
  [3/37]: adding default schema
  [4/37]: enabling memberof plugin
  [5/37]: enabling winsync plugin
  [6/37]: configuring replication version plugin
  [7/37]: enabling IPA enrollment plugin
  [8/37]: enabling ldapi
  [9/37]: disabling betxn plugins
  [10/37]: configuring uniqueness plugin
  [11/37]: configuring uuid plugin
  [12/37]: configuring modrdn plugin
  [13/37]: enabling entryUSN plugin
  [14/37]: configuring lockout plugin
  [15/37]: creating indices
  [16/37]: enabling referential integrity plugin
  [17/37]: configuring ssl for ds instance
  [18/37]: configuring certmap.conf
  [19/37]: configure autobind for root
  [20/37]: configure new location for managed entries
  [21/37]: restarting directory server
  [22/37]: adding default layout
  [23/37]: adding delegation layout
  [24/37]: adding replication acis
  [25/37]: creating container for managed entries
  [26/37]: configuring user private groups
  [27/37]: configuring netgroups from hostgroups
  [28/37]: creating default Sudo bind user
  [29/37]: creating default Auto Member layout
  [30/37]: adding range check plugin
  [31/37]: creating default HBAC rule allow_all
  [32/37]: initializing group membership
  [33/37]: adding master entry
  [34/37]: configuring Posix uid/gid generation
  [35/37]: enabling compatibility plugin
  [36/37]: tuning directory server
  [37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@rhel6-1 ~]# ps -ef|grep sssd
root     29201     1  0 10:15 ?        00:00:00 /usr/sbin/sssd -f -D
root     29202 29201  0 10:15 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.com --debug-to-files
root     29203 29201  0 10:15 ?        00:00:00 /usr/libexec/sssd/sssd_nss --debug-to-files
root     29204 29201  0 10:15 ?        00:00:00 /usr/libexec/sssd/sssd_pam --debug-to-files
root     29205 29201  0 10:15 ?        00:00:00 /usr/libexec/sssd/sssd_ssh --debug-to-files
root     29206 29201  0 10:15 ?        00:00:00 /usr/libexec/sssd/sssd_pac --debug-to-files
root     29305 25415  0 10:28 pts/0    00:00:00 grep sssd

[root@rhel6-1 ~]# service sssd status
sssd (pid  29201) is running...

[root@rhel6-1 ~]# ssh admin@localhost
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is 5f:a4:46:34:99:80:f7:8b:1b:76:f0:e7:d6:97:25:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
admin@localhost's password: 
Could not chdir to home directory /home/admin: No such file or directory

-bash-4.1$ id
uid=799400000(admin) gid=799400000(admins) groups=799400000(admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-bash-4.1$ whoami
admin

-bash-4.1$ exit
logout
Connection to localhost closed.

[root@rhel6-1 ~]#

Comment 17 errata-xmlrpc 2013-02-21 09:30:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.