Header Shadow Image


Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration. 

Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration. 

Investigation:

./cipa –debug -d sub.domain.com -W "<PASSWORD>"

| FreeIPA servers:   | idmipa03   | idmipa04   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 91         | 91         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | False      | FAIL  |
| Replication Status | idmipa04 0 | idmipa03 0 | OK    |
+——————–+————+————+——-+
2021-01-29 11:22:33 [main] DEBUG Finishing…

 

A symptom of this issue is the inability to lookup AD users:

# id sam@domain.com
id: sam@domain.com: no such user

Investigating further:

ipa server-role-find –role "AD trust controller" –status "absent"
———————
1 server role matched
———————
  Server name: idmipa04.sub.domain.com
  Role name: AD trust controller
  Role status: absent
—————————-
Number of entries returned 1
—————————-

 

ipa server-role-find –server idmipa04.sub.domain.com
———————-
6 server roles matched
———————-
  Server name: idmipa04.sub.domain.com
  Role name: CA server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: DNS server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: NTP server
  Role status: enabled

  Server name: idmipa04.sub.domain.com
  Role name: AD trust agent
  Role status: absent

  Server name: idmipa04.sub.domain.com
  Role name: KRA server
  Role status: absent

  Server name: idmipa04.sub.domain.com
  Role name: AD trust controller
  Role status: absent
—————————-
Number of entries returned 6
—————————-

 

cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

 

Error message on idmipa04 when fetching domains.

IPA Error 4001: NotFound

Cannot perform the selected command without Samba 4 instance configured on this machine. Make sure you have run ipa-adtrust-install on this server. Alternatively, following servers are capable of running this command: idmipa03.sub.domain.com

On a working node, the Samba configuration looks like this:

# cat /etc/samba/smb.conf
### Added by IPA Installer ###
[global]
debug pid = yes
config backend = registry

Resolution.  Take a snapshot of the VM prior to doing anything.  Next, run the following:

# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: y


The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/25]: validate server hostname
  [2/25]: stopping smbd
  [3/25]: creating samba domain object
Samba domain object already exists
  [4/25]: retrieve local idmap range
  [5/25]: creating samba config registry
  [6/25]: writing samba config file
  [7/25]: adding cifs Kerberos principal
  [8/25]: adding cifs and host Kerberos principals to the adtrust agents group
  [9/25]: check for cifs services defined on other replicas
  [10/25]: adding cifs principal to S4U2Proxy targets
  [11/25]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [12/25]: adding RID bases
RID bases already set, nothing to do
  [13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [14/25]: activating CLDAP plugin
  [15/25]: activating sidgen task
  [16/25]: map BUILTIN\Guests to nobody group
  [17/25]: configuring smbd to start on boot
  [18/25]: adding special DNS service records
  [19/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
  [20/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [21/25]: adding fallback group
Fallback group already set, nothing to do
  [22/25]: adding Default Trust View
Default Trust View already exists.
  [23/25]: setting SELinux booleans
  [24/25]: starting CIFS services
  [25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
          * 3268: msft-gc
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

Restart Free IPA services (optional):

# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

Verify once more:

# ./cipa -d sub.domain.com -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers:   | idmipa04   | idmipa03   | STATE |
+——————–+————+————+——-+
| Active Users       | 3          | 3          | OK    |
| Stage Users        | 0          | 0          | OK    |
| Preserved Users    | 0          | 0          | OK    |
| Hosts              | 18         | 18         | OK    |
| Services           | 92         | 92         | OK    |
| User Groups        | 13         | 13         | OK    |
| Host Groups        | 1          | 1          | OK    |
| Netgroups          | 0          | 0          | OK    |
| HBAC Rules         | 3          | 3          | OK    |
| SUDO Rules         | 3          | 3          | OK    |
| DNS Zones          | 9          | 9          | OK    |
| Certificates       | 30         | 30         | OK    |
| LDAP Conflicts     | 2          | 2          | FAIL  |
| Ghost Replicas     | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | OK    |
| Microsoft ADTrust  | True       | True       | OK    |
| Replication Status | idmipa03 0 | idmipa04 0 | OK    |
+——————–+————+————+——-+

Checking on an AD ID now works:

# id sam@domain.com

Regards,


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License