Bug 983237 – add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 983237 - add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install

Summary:	add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-07-10 15:14 EDT by Najmuddin Chirammal
Modified:	2014-06-18 03:09 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	ipa-adtrust-install, an Identity Management Active Directory Trust configuration tool, does not explicitly specify authentication mechanism when performing Active Directory Trust configuration changes. When the user specifis the default LDAP authentication mechanism other than the expected default (for example by setting the SASL_MECH configuration option to GSSAPI in LDAP configuration file for root user, .ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the .ldaprc file. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-09-03 07:32:42 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Najmuddin Chirammal 2013-07-10 15:14:17 EDT

Description of problem: samba crashes if ipaNTSecurityIdentifier is not present on the "default smb group", the issue occurs if we do not specify --add-sids option during ipa-adtrust-install.


Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4 


How reproducible: Always.


Steps to Reproduce:
1. Install IPA server,
2. Run ipa-adtrust-install (without --add-sids option)
3. Once it's completed, try using wbinfo/smbclient commands, watch the logs.

Actual results: smbd crashes due to missing ipaNTSecurityIdentifier attribute on the default smb group.

Expected results: No samba crashes, wbinfo and smbclient returns proper results.

Comment 2 Rob Crittenden 2013-07-11 09:25:38 EDT

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3776

Comment 9 Martin Kosek 2013-09-03 07:31:12 EDT

This issue was caused by a configuration issue, adding a Known Issue doc paragraph.

Comment 10 Martin Kosek 2013-09-03 07:32:42 EDT

Closing the bug for 6.5, it will be only documented (and fixed upstream - https://fedorahosted.org/freeipa/ticket/3895).

Comment 11 Martin Kosek 2013-09-03 11:20:00 EDT

Fixed typo in doc text.

Note You need to log in before you can comment on or make changes to this bug.