https://bugzilla.redhat.com/show_bug.cgi?id=878288 (Red Hat Enterprise Linux 6)
Description of problem: Trying to add a trust to IPA results in failure for latest RHEL6.4 tests. [root@rhel6-1 samba]# echo $ADMINPW|ipa trust-add $ADDOMAIN --admin Administrator --password ipa: ERROR: Insufficient access: CIFS server denied your credentials Version-Release number of selected component (if applicable): ipa-server-3.0.0-8.el6.x86_64 krb5-server-1.10.3-6.el6.x86_64 samba4-4.0.0-46.el6.rc4.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA Server 2. Install AD Server 3. ipa-adtrust-install 4. ipa trust-add <ad-domain> --admin Administrator --password Actual results: Fails like above Expected results: Sets up Trust to AD. Additional info: [root@rhel6-1 ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD \ > --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW \ > --ip-address=$ipaddr -P $ADMINPW -a $ADMINPW -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host rhel6-1.testrelm.com Warning: hostname rhel6-1.testrelm.com does not match system hostname rhel6-1.example.com. System hostname will be updated during the installation process to prevent service failures. Adding [192.168.122.61 rhel6-1.testrelm.com] to your /etc/hosts file Using reverse zone 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: rhel6-1.testrelm.com IP address: 192.168.122.61 Domain name: testrelm.com Realm name: TESTRELM.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone: 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 1 minute [1/37]: creating directory server user [2/37]: creating directory server instance [3/37]: adding default schema [4/37]: enabling memberof plugin [5/37]: enabling winsync plugin [6/37]: configuring replication version plugin [7/37]: enabling IPA enrollment plugin [8/37]: enabling ldapi [9/37]: disabling betxn plugins [10/37]: configuring uniqueness plugin [11/37]: configuring uuid plugin [12/37]: configuring modrdn plugin [13/37]: enabling entryUSN plugin [14/37]: configuring lockout plugin [15/37]: creating indices [16/37]: enabling referential integrity plugin [17/37]: configuring ssl for ds instance [18/37]: configuring certmap.conf [19/37]: configure autobind for root [20/37]: configure new location for managed entries [21/37]: restarting directory server [22/37]: adding default layout [23/37]: adding delegation layout [24/37]: adding replication acis [25/37]: creating container for managed entries [26/37]: configuring user private groups [27/37]: configuring netgroups from hostgroups [28/37]: creating default Sudo bind user [29/37]: creating default Auto Member layout [30/37]: adding range check plugin [31/37]: creating default HBAC rule allow_all [32/37]: initializing group membership [33/37]: adding master entry [34/37]: configuring Posix uid/gid generation [35/37]: enabling compatibility plugin [36/37]: tuning directory server [37/37]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/14]: disabling mod_ssl in httpd [2/14]: setting mod_nss port to 443 [3/14]: setting mod_nss password file [4/14]: enabling mod_nss renegotiate [5/14]: adding URL rewriting rules [6/14]: configuring httpd [7/14]: setting up ssl [8/14]: setting up browser autoconfig [9/14]: publish CA cert [10/14]: creating a keytab for httpd [11/14]: clean up any existing httpd ccache [12/14]: configuring SELinux for httpd [13/14]: restarting httpd [14/14]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password [root@rhel6-1 ~]# chkconfig iptables off [root@rhel6-1 ~]# service iptables stop iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] [root@rhel6-1 ~]# chkconfig ip6tables off [root@rhel6-1 ~]# service ip6tables stop ip6tables: Flushing firewall rules: [ OK ] ip6tables: Setting chains to policy ACCEPT: filter [ OK ] ip6tables: Unloading modules: [ OK ] [root@rhel6-1 ~]# ipa-adtrust-install --netbios-name=$(echo $RELM|cut -f1 -d.) \ > -a $ADMINPW -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring CIFS [1/18]: stopping smbd [2/18]: creating samba domain object [3/18]: creating samba config registry [4/18]: writing samba config file [5/18]: adding cifs Kerberos principal [6/18]: adding cifs principal to S4U2Proxy targets [7/18]: adding admin(group) SIDs [8/18]: adding RID bases [9/18]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [10/18]: activating CLDAP plugin [11/18]: activating sidgen plugin and task [12/18]: activating extdom plugin [13/18]: configuring smbd to start on boot [14/18]: adding special DNS service records [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [16/18]: adding fallback group [17/18]: setting SELinux booleans [18/18]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. ============================================================================= [root@rhel6-1 ~]# echo $ADMINPW|kinit admin Password for admin@TESTRELM.COM: [root@rhel6-1 ~]# ipa dnszone-add $ADDOMAIN --name-server=$ADSERVER \ > --admin-email="hostmaster@$ADDOMAIN" --force \ > --forwarder=$ADSERVERIP --forward-policy=only Zone name: adtestdom.com Authoritative nameserver: w2k8r2-1.adtestdom.com Administrator e-mail address: hostmaster.adtestdom.com. SOA serial: 1353379281 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TESTRELM.COM krb5-self * A; grant TESTRELM.COM krb5-self * AAAA; grant TESTRELM.COM krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; Zone forwarders: 192.168.122.21 Forward policy: only [root@rhel6-1 ~]# ipa trust-add $ADDOMAIN --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials [root@rhel6-1 ~]# chkconfig iptables off [root@rhel6-1 ~]# service iptables stop [root@rhel6-1 ~]# chkconfig ip6tables off [root@rhel6-1 ~]# service ip6tables stop [root@rhel6-1 ~]# ipa trust-add $ADDOMAIN --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials FROM /var/log/samba/log.192.168.122.61: [2012/11/19 22:21:57.954944, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username TESTRELM\admin is invalid on this system [2012/11/19 22:21:57.955029, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2012/11/19 22:21:57.955098, 1] ../source3/smbd/sesssetup.c:275(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED [2012/11/19 22:21:58.021609, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username TESTRELM\admin is invalid on this system [2012/11/19 22:21:58.021692, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2012/11/19 22:21:58.021761, 1] ../source3/smbd/sesssetup.c:275(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED FROM /var/log/krb5kdc.log: Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18 tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com@TESTRELM.COM for ldap/rhel6-1.testrelm.com@TESTRELM.COM Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.COM Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10 Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18 tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com@TESTRELM.COM for cifs/rhel6-1.testrelm.com@TESTRELM.COM Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.COM Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10 Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: ISSUE: authtime 1353379276, etypes {rep=18 tkt=18 ses=18}, HTTP/rhel6-1.testrelm.com@TESTRELM.COM for cifs/rhel6-1.testrelm.com@TESTRELM.COM Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): ... CONSTRAINED-DELEGATION s4u-client=admin@TESTRELM.COM Nov 19 22:21:57 rhel6-1.testrelm.com krb5kdc[25444](info): closing down fd 10
The fix is to restart SSSD in ipa-client-install.
master: a45125f
ipa-3-0: 3ea6c53
Restart sssd after authconfig update
Recent versions of authconfig do not restart sssd if only the --enablesssd and --enablesssdauth options are used. To make sure sssd is running after ipa-server-install is run this patch add an unconditional restart of sssd after authconfig is run during the installation.
Since there already is some logic trying to determine if sssd needs to be restarted or stopped if freeipa in uninstalled no changes are needed here.
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @rcritten: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.