Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration.
Fixing a broken AD trust on a FreeIPA replica in a Master-Master configuration.
Investigation:
./cipa –debug -d sub.domain.com -W "<PASSWORD>"
| FreeIPA servers: | idmipa03 | idmipa04 | STATE |
+——————–+————+————+——-+
| Active Users | 3 | 3 | OK |
| Stage Users | 0 | 0 | OK |
| Preserved Users | 0 | 0 | OK |
| Hosts | 18 | 18 | OK |
| Services | 91 | 91 | OK |
| User Groups | 13 | 13 | OK |
| Host Groups | 1 | 1 | OK |
| Netgroups | 0 | 0 | OK |
| HBAC Rules | 3 | 3 | OK |
| SUDO Rules | 3 | 3 | OK |
| DNS Zones | 9 | 9 | OK |
| Certificates | 30 | 30 | OK |
| LDAP Conflicts | 2 | 2 | FAIL |
| Ghost Replicas | 0 | 0 | OK |
| Anonymous BIND | ON | ON | OK |
| Microsoft ADTrust | True | False | FAIL |
| Replication Status | idmipa04 0 | idmipa03 0 | OK |
+——————–+————+————+——-+
2021-01-29 11:22:33 [main] DEBUG Finishing…
A symptom of this issue is the inability to lookup AD users:
# id sam@domain.com
id: sam@domain.com: no such user
Investigating further:
ipa server-role-find –role "AD trust controller" –status "absent"
———————
1 server role matched
———————
Server name: idmipa04.sub.domain.com
Role name: AD trust controller
Role status: absent
—————————-
Number of entries returned 1
—————————-
ipa server-role-find –server idmipa04.sub.domain.com
———————-
6 server roles matched
———————-
Server name: idmipa04.sub.domain.com
Role name: CA server
Role status: enabled
Server name: idmipa04.sub.domain.com
Role name: DNS server
Role status: enabled
Server name: idmipa04.sub.domain.com
Role name: NTP server
Role status: enabled
Server name: idmipa04.sub.domain.com
Role name: AD trust agent
Role status: absent
Server name: idmipa04.sub.domain.com
Role name: KRA server
Role status: absent
Server name: idmipa04.sub.domain.com
Role name: AD trust controller
Role status: absent
—————————-
Number of entries returned 6
—————————-
cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
Error message on idmipa04 when fetching domains.
IPA Error 4001: NotFound
Cannot perform the selected command without Samba 4 instance configured on this machine. Make sure you have run ipa-adtrust-install on this server. Alternatively, following servers are capable of running this command: idmipa03.sub.domain.com
On a working node, the Samba configuration looks like this:
# cat /etc/samba/smb.conf
### Added by IPA Installer ###
[global]
debug pid = yes
config backend = registry
Resolution. Take a snapshot of the VM prior to doing anything. Next, run the following:
# ipa-adtrust-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password:
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: y
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
Samba domain object already exists
[4/25]: retrieve local idmap range
[5/25]: creating samba config registry
[6/25]: writing samba config file
[7/25]: adding cifs Kerberos principal
[8/25]: adding cifs and host Kerberos principals to the adtrust agents group
[9/25]: check for cifs services defined on other replicas
[10/25]: adding cifs principal to S4U2Proxy targets
[11/25]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[12/25]: adding RID bases
RID bases already set, nothing to do
[13/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/25]: activating CLDAP plugin
[15/25]: activating sidgen task
[16/25]: map BUILTIN\Guests to nobody group
[17/25]: configuring smbd to start on boot
[18/25]: adding special DNS service records
[19/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
[20/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[21/25]: adding fallback group
Fallback group already set, nothing to do
[22/25]: adding Default Trust View
Default Trust View already exists.
[23/25]: setting SELinux booleans
[24/25]: starting CIFS services
[25/25]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
Restart Free IPA services (optional):
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
Verify once more:
# ./cipa -d sub.domain.com -W "<PASS>"
+——————–+————+————+——-+
| FreeIPA servers: | idmipa04 | idmipa03 | STATE |
+——————–+————+————+——-+
| Active Users | 3 | 3 | OK |
| Stage Users | 0 | 0 | OK |
| Preserved Users | 0 | 0 | OK |
| Hosts | 18 | 18 | OK |
| Services | 92 | 92 | OK |
| User Groups | 13 | 13 | OK |
| Host Groups | 1 | 1 | OK |
| Netgroups | 0 | 0 | OK |
| HBAC Rules | 3 | 3 | OK |
| SUDO Rules | 3 | 3 | OK |
| DNS Zones | 9 | 9 | OK |
| Certificates | 30 | 30 | OK |
| LDAP Conflicts | 2 | 2 | FAIL |
| Ghost Replicas | 0 | 0 | OK |
| Anonymous BIND | ON | ON | OK |
| Microsoft ADTrust | True | True | OK |
| Replication Status | idmipa03 0 | idmipa04 0 | OK |
+——————–+————+————+——-+
Checking on an AD ID now works:
# id sam@domain.com
Regards,
