freeipa

Clone
Source Code
GIT

#3267 ipa trust-add fails with ERROR: Insufficient access: CIFS server denied your credentials
Closed: Fixed None Opened 11 years ago by rcritten.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=878288 (Red Hat Enterprise Linux 6)

Description of problem:

Trying to add a trust to IPA results in failure for latest RHEL6.4 tests.

[root@rhel6-1 samba]# echo $ADMINPW|ipa trust-add $ADDOMAIN --admin
Administrator --password
ipa: ERROR: Insufficient access: CIFS server denied your credentials


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-8.el6.x86_64
krb5-server-1.10.3-6.el6.x86_64
samba4-4.0.0-46.el6.rc4.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Install IPA Server
2. Install AD Server
3. ipa-adtrust-install
4. ipa trust-add <ad-domain> --admin Administrator --password

Actual results:
Fails like above

Expected results:
Sets up Trust to AD.

Additional info:

[root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD \
>   --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW \
>   --ip-address=$ipaddr -P $ADMINPW -a $ADMINPW -U

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host rhel6-1.testrelm.com

Warning: hostname rhel6-1.testrelm.com does not match system hostname
rhel6-1.example.com.
System hostname will be updated during the installation process
to prevent service failures.

Adding [192.168.122.61 rhel6-1.testrelm.com] to your /etc/hosts file
Using reverse zone 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      rhel6-1.testrelm.com
IP address:    192.168.122.61
Domain name:   testrelm.com
Realm name:    TESTRELM.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone:  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
  [1/21]: creating certificate server user
  [2/21]: creating pki-ca instance
  [3/21]: configuring certificate server instance
  [4/21]: disabling nonces
  [5/21]: creating CA agent PKCS#12 file in /root
  [6/21]: creating RA agent certificate database
  [7/21]: importing CA chain to RA certificate database
  [8/21]: fixing RA database permissions
  [9/21]: setting up signing cert profile
  [10/21]: set up CRL publishing
  [11/21]: set certificate subject base
  [12/21]: enabling Subject Key Identifier
  [13/21]: setting audit signing renewal to 2 years
  [14/21]: configuring certificate server to start on boot
  [15/21]: restarting certificate server
  [16/21]: requesting RA certificate from CA
  [17/21]: issuing RA agent certificate
  [18/21]: adding RA agent as a trusted user
  [19/21]: configure certificate renewals
  [20/21]: configure Server-Cert certificate renewal
  [21/21]: Configure HTTP to proxy connections
Done configuring certificate server (pki-cad).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/37]: creating directory server user
  [2/37]: creating directory server instance
  [3/37]: adding default schema
  [4/37]: enabling memberof plugin
  [5/37]: enabling winsync plugin
  [6/37]: configuring replication version plugin
  [7/37]: enabling IPA enrollment plugin
  [8/37]: enabling ldapi
  [9/37]: disabling betxn plugins
  [10/37]: configuring uniqueness plugin
  [11/37]: configuring uuid plugin
  [12/37]: configuring modrdn plugin
  [13/37]: enabling entryUSN plugin
  [14/37]: configuring lockout plugin
  [15/37]: creating indices
  [16/37]: enabling referential integrity plugin
  [17/37]: configuring ssl for ds instance
  [18/37]: configuring certmap.conf
  [19/37]: configure autobind for root
  [20/37]: configure new location for managed entries
  [21/37]: restarting directory server
  [22/37]: adding default layout
  [23/37]: adding delegation layout
  [24/37]: adding replication acis
  [25/37]: creating container for managed entries
  [26/37]: configuring user private groups
  [27/37]: configuring netgroups from hostgroups
  [28/37]: creating default Sudo bind user
  [29/37]: creating default Auto Member layout
  [30/37]: adding range check plugin
  [31/37]: creating default HBAC rule allow_all
  [32/37]: initializing group membership
  [33/37]: adding master entry
  [34/37]: configuring Posix uid/gid generation
  [35/37]: enabling compatibility plugin
  [36/37]: tuning directory server
  [37/37]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: disabling mod_ssl in httpd
  [2/14]: setting mod_nss port to 443
  [3/14]: setting mod_nss password file
  [4/14]: enabling mod_nss renegotiate
  [5/14]: adding URL rewriting rules
  [6/14]: configuring httpd
  [7/14]: setting up ssl
  [8/14]: setting up browser autoconfig
  [9/14]: publish CA cert
  [10/14]: creating a keytab for httpd
  [11/14]: clean up any existing httpd ccache
  [12/14]: configuring SELinux for httpd
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit
admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

[root@rhel6-1 ~]# chkconfig iptables off

[root@rhel6-1 ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[root@rhel6-1 ~]# chkconfig ip6tables off

[root@rhel6-1 ~]# service ip6tables stop
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]

[root@rhel6-1 ~]# ipa-adtrust-install --netbios-name=$(echo $RELM|cut -f1 -d.)
\
>   -a $ADMINPW -U

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
  [8/18]: adding RID bases
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes
into account
  [16/18]: adding fallback group
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
        TCP Ports:
          * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================


[root@rhel6-1 ~]# echo $ADMINPW|kinit admin
Password for admin@TESTRELM.COM:

[root@rhel6-1 ~]# ipa dnszone-add $ADDOMAIN --name-server=$ADSERVER \
>   --admin-email="hostmaster@$ADDOMAIN" --force  \
>   --forwarder=$ADSERVERIP --forward-policy=only
  Zone name: adtestdom.com
  Authoritative nameserver: w2k8r2-1.adtestdom.com
  Administrator e-mail address: hostmaster.adtestdom.com.
  SOA serial: 1353379281
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM
krb5-self * AAAA; grant
                      TESTRELM.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
  Zone forwarders: 192.168.122.21
  Forward policy: only

[root@rhel6-1 ~]# ipa trust-add $ADDOMAIN --admin Administrator --password
Active directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials

[root@rhel6-1 ~]# chkconfig iptables off

[root@rhel6-1 ~]# service iptables stop

[root@rhel6-1 ~]# chkconfig ip6tables off

[root@rhel6-1 ~]# service ip6tables stop

[root@rhel6-1 ~]# ipa trust-add $ADDOMAIN --admin Administrator --password
Active directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials

FROM /var/log/samba/log.192.168.122.61:

[2012/11/19 22:21:57.954944,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username TESTRELM\admin is invalid on this system
[2012/11/19 22:21:57.955029,  1]
../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2012/11/19 22:21:57.955098,  1]
../source3/smbd/sesssetup.c:275(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED
[2012/11/19 22:21:58.021609,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username TESTRELM\admin is invalid on this system
[2012/11/19 22:21:58.021692,  1]
../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2012/11/19 22:21:58.021761,  1]
../source3/smbd/sesssetup.c:275(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED

FROM /var/log/krb5kdc.log:

Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18
tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com@TESTRELM.COM for
ldap/rhel6-1.testrelm.com@TESTRELM.COM
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ...
CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.COM
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18
tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com@TESTRELM.COM for
cifs/rhel6-1.testrelm.com@TESTRELM.COM
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ...
CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.COM
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18
tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com@TESTRELM.COM for
cifs/rhel6-1.testrelm.com@TESTRELM.COM
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ...
CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.COM
Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10

The fix is to restart SSSD in ipa-client-install.

master: a45125f

ipa-3-0: 3ea6c53

Restart sssd after authconfig update

Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation.

Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here.

Rename "trusts" component to "Trusts" to achieve correct sorting.

Metadata Update from @rcritten:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.0.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Trusts
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=878288
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.