RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 980409 - Create a trust to an AD 2012 domain not works, backport ticket 3231
Summary: Create a trust to an AD 2012 domain not works, backport ticket 3231
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: x86_64
OS: Unspecified
medium
high
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-02 09:59 UTC by pgustafs
Modified: 2018-12-03 19:14 UTC (History)
6 users (show)

Fixed In Version: ipa-3.0.0-33.el6
Doc Type: Bug Fix
Doc Text:
Cause: Identity Management Active Directory integration did not expect different procedure that Microsoft Active Directory users to populate KERB_VALIDATION_INFO section of MS-PAC extension for Kerberos ticket. Consequence: Such Kerberos tickets were not accepted causing an incompatibility between IdM and Microsoft Windows Server 2012. Fix: KERB_VALIDATION_INFO verification was refactored to ensure it filters out the unexpected values before further processing. Result: IdM Active Directory Trust creation no longer fails with Microsoft Windows Server 2012.
Clone Of:
Environment:
Last Closed: 2013-11-21 20:54:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1651 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2013-11-21 00:39:40 UTC

Description pgustafs 2013-07-02 09:59:56 UTC 
Description of problem:
Can't login to RHEL ipa-client machine using an AD account after setting up an trust against an 2012 Active Directory domain controller.  



Version-Release number of selected component (if applicable):
rpm -qa | grep ipa
ipa-server-3.0.0-26.el6_4.2.x86_64
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64


How reproducible:
Always


Steps to Reproduce:
1. Create a trust to an AD 2012 domain
2. Login to an ipa-client machine using an AD account

Actual results:
# ssh -l admpetgus ipa-server.example.com
admpetgus@ipa-server.example.com's password: 
Permission denied, please try again.

And in /var/log/secure on the ipa-client machine:
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): system info: [KDC returned error string: HANDLE_AUTHDATA]
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.65 user=admpetgus
Jul  2 11:14:59 ipa-server sshd[7785]: pam_sss(sshd:auth): received for user admpetgus: 4 (System error)

kvno host/$(hostname)@NIX.EXAMPLE.COM
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/ipa-server.nix.example.com.COM

# 

Expected results:
ssh login should work.

Additional info:
Backport trac ticket is https://fedorahosted.org/freeipa/ticket/3289 to ipa 3.0 so an trust against an AD 2012 works.

Br, Peter Gustafsson
Comment 2 Alexander Bokovoy 2013-07-03 11:03:52 UTC 
The ticket 3289 is not really relevant here alone. What is relevant is its predecessor which actually adds support for Windows Server 2012.
Comment 3 Sumit Bose 2013-07-03 14:56:03 UTC 
(In reply to Alexander Bokovoy from comment #2)
> The ticket 3289 is not really relevant here alone. What is relevant is its
> predecessor which actually adds support for Windows Server 2012.

yes, I gave them a test-build with the patch from https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6 build and got the feedback that now everything is working as expected. I really think it is worth adding this patch in 6.5.
Comment 4 pgustafs 2013-07-03 15:04:08 UTC 
(In reply to Sumit Bose from comment #3)
> (In reply to Alexander Bokovoy from comment #2)
> > The ticket 3289 is not really relevant here alone. What is relevant is its
> > predecessor which actually adds support for Windows Server 2012.
> 
> yes, I gave them a test-build with the patch from
> https://fedorahosted.org/freeipa/ticket/3231 on top of the latest RHEL6
> build and got the feedback that now everything is working as expected. I
> really think it is worth adding this patch in 6.5.

(In reply to Alexander Bokovoy from comment #2)
> The ticket 3289 is not really relevant here alone. What is relevant is its
> predecessor which actually adds support for Windows Server 2012.

Yes with the test-build from Sumit everything is working as expected. Since Windows Server 2012 is becoming common nowadays i also really think it is worth adding this patch in 6.5.
Comment 5 Alexander Bokovoy 2013-07-03 15:11:58 UTC 
The full scope of changes to support Windows Server 2012 in IdM is tracked in the bug 910453 for RHEL 7. However, the patch from FreeIPA upstream ticket  https://fedorahosted.org/freeipa/ticket/3231 represents a minimal support with hard-coded configuration that is enough to support default Windows Server 2012 installs.

So I'd suggest to include it into 6.5, given that engineering work is already performed as part of upstream activities and initial testing at a customer's environment gave positive result.
Comment 6 Rob Crittenden 2013-07-08 15:50:00 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3768
Comment 8 Martin Kosek 2013-07-17 08:03:46 UTC 
This Bugzilla is solved by ticket 3231 (see Comment 3), not 3289. Updating Bugzilla title.

I will move this to POST, as upstream bug is fixed:

master: 32916d444b038e6d68348b62481a4e2871438568
Comment 12 Martin Kosek 2013-08-05 07:27:52 UTC 
Fixed one coverity issue, added 2 stabilization patches related to AD2012 backported code.
Comment 13 Martin Kosek 2013-08-06 12:03:43 UTC 
One more coverity fix -> ipa-3.0.0-33.el6.
Comment 17 Steeve Goveas 2013-09-24 10:09:08 UTC 
[root@dhcp207-85 ~]# nmap -A ad12srv1.adtest.qe
....
Host script results:
|_nbstat: NetBIOS name: AD12SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 52:54:00:a8:2d:d6 (QEMU Virtual NIC)
|_smbv2-enabled: Server supports SMBv2 protocol
| smb-os-discovery: 
|   OS: Windows Server 2012 Standard 9200 (Windows Server 2012 Standard 6.2)
|   Name: ADTEST\AD12SRV1
|_  System time: 2013-09-23 19:50:32 UTC+5.5


[root@dhcp207-85 ~]# ipa trust-add --type=ad adtest.qe --admin Administrator --password
Active directory domain administrator's password: 
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-85 ~]# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1811200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-85 ~]# getent passwd user1
user1:*:1148401110:1148401110::/home/adtest.qe/user1:

[root@dhcp207-85 ~]# ssh -l user1 dhcp207-85.testrelm.com
user1@dhcp207-85.testrelm.com's password: 
Could not chdir to home directory /home/adtest.qe/user1: No such file or directory
-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

On IPA Client

[root@dhcp207-25 ~]# ipa-client-install --domain testrelm.com
Discovery was successful!
Hostname: dhcp207-25.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: dhcp207-85.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://dhcp207-85.testrelm.com/ipa/xml
Forwarding 'env' to server u'https://dhcp207-85.testrelm.com/ipa/xml'
Hostname (dhcp207-25.testrelm.com) not found in DNS
DNS server record set to: dhcp207-25.testrelm.com -> 10.65.207.25
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dhcp207-85.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

[root@dhcp207-25 ~]# getent passwd user1
user1:*:1148401110:1148401110::/home/adtest.qe/user1:

[root@dhcp207-25 ~]# ssh -l user1 dhcp207-85.testrelm.com
user1@dhcp207-85.testrelm.com's password: 
Last login: Mon Sep 23 19:59:19 2013 from dhcp207-85.testrelm.com
Could not chdir to home directory /home/adtest.qe/user1: No such file or directory
-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.

Without Password

[root@dhcp207-25 ~]# vim /etc/krb5.conf

[root@dhcp207-25 ~]# grep auth_to_local /etc/krb5.conf
  auth_to_local = RULE:[1:$1@$0](^.*@ADTEST.QE$)s/@ADTEST.QE/@adtest.qe/
  auth_to_local = DEFAULT

[root@dhcp207-25 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

[root@dhcp207-25 ~]# kinit user1
Password for user1: 

[root@dhcp207-25 ~]# ssh -K -l user1 dhcp207-85.testrelm.com
Last login: Tue Sep 24 15:33:38 2013 from dhcp207-85.testrelm.com
Could not chdir to home directory /home/adtest.qe/user1: No such file or directory
-sh-4.1$ logout
Connection to dhcp207-85.testrelm.com closed.
Comment 18 Steeve Goveas 2013-09-24 10:10:39 UTC 
Verified

[root@dhcp207-85 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.5 Beta (Santiago)

[root@dhcp207-85 ~]# rpm -q ipa-server
ipa-server-3.0.0-35.el6.x86_64
Comment 20 errata-xmlrpc 2013-11-21 20:54:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html
Note You need to log in before you can comment on or make changes to this bug.