Bug 980409 – Create a trust to an AD 2012 domain not works, backport ticket 3231

Bug 980409 - Create a trust to an AD 2012 domain not works, backport ticket 3231

Summary:	Create a trust to an AD 2012 domain not works, backport ticket 3231

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	x86_64 Unspecified

Priority	medium Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-07-02 05:59 EDT by pgustafs
Modified:	2013-11-21 15:54 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	ipa-3.0.0-33.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Identity Management Active Directory integration did not expect different procedure that Microsoft Active Directory users to populate KERB_VALIDATION_INFO section of MS-PAC extension for Kerberos ticket. Consequence: Such Kerberos tickets were not accepted causing an incompatibility between IdM and Microsoft Windows Server 2012. Fix: KERB_VALIDATION_INFO verification was refactored to ensure it filters out the unexpected values before further processing. Result: IdM Active Directory Trust creation no longer fails with Microsoft Windows Server 2012.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-21 15:54:04 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description pgustafs 2013-07-02 05:59:56 EDT

Description of problem:
Can't login to RHEL ipa-client machine using an AD account after setting up an trust against an 2012 Active Directory domain controller.  



Version-Release number of selected component (if applicable):
rpm -qa | grep ipa
ipa-server-3.0.0-26.el6_4.2.x86_64
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64


How reproducible:
Always


Steps to Reproduce:
1. Create a trust to an AD 2012 domain
2. Login to an ipa-client machine using an AD account

Actual results:
# ssh -l admpetgus@EXAMPLE.COM ipa-server.example.com
admpetgus@EXAMPLE.COM@ipa-server.example.com's password: 
Permission denied, please try again.

And in /var/log/secure on the ipa-client machine:
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): system info: [KDC returned error string: HANDLE_AUTHDATA]
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.65 user=admpetgus@CYDMODULE.COM
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): received for user admpetgus@EXAMPLE.COM: 4 (System error)

kvno host/$(hostname)@NIX.EXAMPLE.COM
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/ipa-server.nix.example.com@NIX.EXAMPLE.COM

# 

Expected results:
ssh login should work.

Additional info:
Backport trac ticket is https://fedorahosted.org/freeipa/ticket/3289 to ipa 3.0 so an trust against an AD 2012 works.

Br, Peter Gustafsson

Comment 2 Alexander Bokovoy 2013-07-03 07:03:52 EDT

The ticket 3289 is not really relevant here alone. What is relevant is its predecessor which actually adds support for Windows Server 2012.

Comment 3 Sumit Bose 2013-07-03 10:56:03 EDT

(In reply to Alexander Bokovoy from comment #2)
> The ticket 3289 is not really relevant here alone. What is relevant is its
> predecessor which actually adds support for Windows Server 2012.

yes, I gave them a test-build with the patch from https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6 build and got the feedback that now everything is working as expected. I really think it is worth adding this patch in 6.5.

Comment 4 pgustafs 2013-07-03 11:04:08 EDT

(In reply to Sumit Bose from comment #3)
> (In reply to Alexander Bokovoy from comment #2)
> > The ticket 3289 is not really relevant here alone. What is relevant is its
> > predecessor which actually adds support for Windows Server 2012.
> 
> yes, I gave them a test-build with the patch from
> https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6
> build and got the feedback that now everything is working as expected. I
> really think it is worth adding this patch in 6.5.

(In reply to Alexander Bokovoy from comment #2)
> The ticket 3289 is not really relevant here alone. What is relevant is its
> predecessor which actually adds support for Windows Server 2012.

Yes with the test-build from Sumit everything is working as expected. Since Windows Server 2012 is becoming common nowadays i also really think it is worth adding this patch in 6.5.

Comment 5 Alexander Bokovoy 2013-07-03 11:11:58 EDT

The full scope of changes to support Windows Server 2012 in IdM is tracked in the bug 910453 for RHEL 7. However, the patch from FreeIPA upstream ticket  https://fedorahosted.org/freeipa/ticket/3231 represents a minimal support with hard-coded configuration that is enough to support default Windows Server 2012 installs.

So I'd suggest to include it into 6.5, given that engineering work is already performed as part of upstream activities and initial testing at a customer's environment gave positive result.

Comment 6 Rob Crittenden 2013-07-08 11:50:00 EDT

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3768

Comment 8 Martin Kosek 2013-07-17 04:03:46 EDT

This Bugzilla is solved by ticket 3231 (see Comment 3), not 3289. Updating Bugzilla title.

I will move this to POST, as upstream bug is fixed:

master: 32916d444b038e6d68348b62481a4e2871438568

Comment 12 Martin Kosek 2013-08-05 03:27:52 EDT

Fixed one coverity issue, added 2 stabilization patches related to AD2012 backported code.

Comment 13 Martin Kosek 2013-08-06 08:03:43 EDT

One more coverity fix -> ipa-3.0.0-33.el6.

Comment 17 Steeve Goveas 2013-09-24 06:09:08 EDT

[root@dhcp207-85 ~]# nmap -A ad12srv1.adtest.qe
....
Host script results:
|_nbstat: NetBIOS name: AD12SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 52:54:00:a8:2d:d6 (QEMU Virtual NIC)
|_smbv2-enabled: Server supports SMBv2 protocol
| smb-os-discovery: 
|   OS: Windows Server 2012 Standard 9200 (Windows Server 2012 Standard 6.2)
|   Name: ADTEST\AD12SRV1
|_  System time: 2013-09-23 19:50:32 UTC+5.5


[root@dhcp207-85 ~]# ipa trust-add --type=ad adtest.qe --admin Administrator --password
Active directory domain administrator's password: 
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-85 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1811200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-85 ~]# getent passwd user1@adtest.qe
user1@adtest.qe:*:1148401110:1148401110::/home/adtest.qe/user1:

[root@dhcp207-85 ~]# ssh -l user1@adtest.qe dhcp207-85.testrelm.com
user1@adtest.qe@dhcp207-85.testrelm.com's password: 
Could not chdir to home directory /home/adtest.qe/user1: No such file or directory
-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

On IPA Client

[root@dhcp207-25 ~]# ipa-client-install --domain testrelm.com
Discovery was successful!
Hostname: dhcp207-25.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: dhcp207-85.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@TESTRELM.COM: 
Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://dhcp207-85.testrelm.com/ipa/xml
Forwarding 'env' to server u'https://dhcp207-85.testrelm.com/ipa/xml'
Hostname (dhcp207-25.testrelm.com) not found in DNS
DNS server record set to: dhcp207-25.testrelm.com -> 10.65.207.25
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dhcp207-85.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

[root@dhcp207-25 ~]# getent passwd user1@adtest.qe
user1@adtest.qe:*:1148401110:1148401110::/home/adtest.qe/user1:

[root@dhcp207-25 ~]# ssh -l user1@adtest.qe dhcp207-85.testrelm.com
user1@adtest.qe@dhcp207-85.testrelm.com's password: 
Last login: Mon Sep 23 19:59:19 2013 from dhcp207-85.testrelm.com
Could not chdir to home directory /home/adtest.qe/user1: No such file or directory
-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

Without Password

[root@dhcp207-25 ~]# vim /etc/krb5.conf

[root@dhcp207-25 ~]# grep auth_to_local /etc/krb5.conf
  auth_to_local = RULE:[1:$1@$0](^.*@ADTEST.QE$)s/@ADTEST.QE/@adtest.qe/
  auth_to_local = DEFAULT

[root@dhcp207-25 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

[root@dhcp207-25 ~]# kinit user1@ADTEST.QE
Password for user1@ADTEST.QE: 

[root@dhcp207-25 ~]# ssh -K -l user1@adtest.qe dhcp207-85.testrelm.com
Last login: Tue Sep 24 15:33:38 2013 from dhcp207-85.testrelm.com
Could not chdir to home directory /home/adtest.qe/user1: No such file or directory
-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

Comment 18 Steeve Goveas 2013-09-24 06:10:39 EDT

Verified

[root@dhcp207-85 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.5 Beta (Santiago)

[root@dhcp207-85 ~]# rpm -q ipa-server
ipa-server-3.0.0-35.el6.x86_64

Comment 20 errata-xmlrpc 2013-11-21 15:54:04 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html

Note You need to log in before you can comment on or make changes to this bug.