[Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

Richard Megginson rmeggins at redhat.com
Tue Jun 5 16:43:56 UTC 2012 

----- Original Message -----
> On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote:
> > On Mon, 04 Jun 2012, Martin Kosek wrote:
> > >I did another round of testing and this is what I found so far:
> > >
> > >1) freeipa.spec.in was missing python-crypto BuildRequires (you
> > >fixed
> > >that)
> > >
> > >2) Unit tests need to be updated, currently there is about a dozen
> > >test
> > >case errors, e.g. extra ipakrbprincipalalias attribute in services
> > >or
> > >new ipakrbprincipal objectclass for hosts
> > Ok, will fix.
> > 
> > >3) Replication did not work too well for me this time.
> > >ipa-replica-install reported just one issue during installation
> > >process:
> > >
> > >2012-06-04T09:42:51Z DEBUG   [24/30]: enabling S4U2Proxy
> > >delegation
> > >2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
> > >vm-057.idm.lab.bos.redhat.com -v -f /tmp/       tmpifHccf -x -D
> > >cn=Directory Manager -y /tmp/tmppqaAdV
> > >2012-06-04T09:42:51Z DEBUG stdout=
> > >2012-06-04T09:42:51Z DEBUG
> > >stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
> > >ldapmodify: wrong attributeType at line 5, entry
> > >"cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
> > >dc=lab,dc=bos,dc=redhat,dc=com"
> > >
> > >2012-06-04T09:42:51Z CRITICAL Failed to load
> > >replica-s4u2proxy.ldif:
> > >Command '/usr/bin/ldapmodify -h   vm-057.idm.lab.bos.redhat.com -v
> > >-f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
> > >returned non-zero exit status 247
> > Found and fixed. The issue was in not following RFC2849 when
> > specifying
> > multiple changetype operations, you need to split their definitions
> > by a
> > single line with '-' on it.
> > 
> > I squashed the fix back to the original patch.
> > 
> > >But this may be just a symptom of some bigger issue. After the
> > >installation finished, DS did not start, it kept reporting
> > >Kerberos
> > >issues:

Does ps -ef|grep slapd show the ns-slapd process running?

> > >
> > >[04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get
> > >initial
> > >credentials for principal
> > >[ldap/vm-057.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM] in
> > >keytab
> > >[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
> > >e-text))
> > >[04/Jun/2012:05:46:00 -0400] - slapd started.  Listening on All
> > >Interfaces port 389 for LDAP requests
> > >[04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port
> > >636 for
> > >LDAPS requests
> > >[04/Jun/2012:05:46:00 -0400] - Listening
> > >on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests

These last three lines mean the server is up and running.

> > >[04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind -
> > >Error:
> > >could not perform interactive bind for id [] mech [GSSAPI]: LDAP
> > >error
> > >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
> > >Unspecified
> > >GSS failure.  Minor code may provide more information (Credentials
> > >cache
> > >file '/tmp/krb5cc_498' not found)) errno 0 (Success)
> > >[04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not
> > >perform
> > >interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> > >[04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
> > >agmt="cn=meTovm-125.idm.lab.bos.redhat.com" (vm-125:389):
> > >Replication
> > >bind with GSSAPI auth failed: LDAP error -2 (Local error)
> > >(SASL(-1):
> > >generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
> > >code may
> > >provide more information (Credentials cache file '/tmp/krb5cc_498'
> > >not
> > >found))

These error messages should only appear at startup, and should go away once all of the ipa components (especially kdc) are up and running.

> > >
> > >When I run "ipactl restart", dirsrv started and I was able to
> > >kinit.
> > Maybe it is timing issue?
> > 
> > 
> > >4) Patch "Add separate attribute to store trusted domain SID"
> > >still has
> > >a wrong service part of the principal to be removed (s/ldap/cifs):
> > >
> > >+        dn3 = DN(u'cn=ipa-cifs-delegation-targets',
> > >api.env.container_s4u2proxy, self.suffix)
> > >+        member_principal3 = "ldap/%(fqdn)s@%(realm)s" %
> > >dict(fqdn=replica, realm=realm)
> > >+
> > >
> > >This leaves CIFS entry in the S4U2Proxy configuration even after
> > >replica
> > >uninstallation.
> > Fixed and squashed back to the original patch.
> > 
> > >Btw. these are the packages I use:
> > >389-ds-base-1.2.10.4-2.fc17.x86_64
> > >krb5-server-1.10-5.fc17.x86_64
> > >samba4-4.0.0-123alpha21.fc17.x86_64
> > Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.
> 
> 
> I tested your latest tree against w2k8r2 and was able to create an
> validate the trust. So ACK to the functional part.
> 
> bye,
> Sumit
> 
> > 
> > --
> > / Alexander Bokovoy
> > 
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

More information about the Freeipa-devel mailing list