#6120 ipa-adtrust-install: when running with --netbios-name="", the NetBIOS name is changed without notification
Closed: Fixed None Opened 7 years ago by lryznaro.

When running ipa-adtrust-install with --netbios-name="", the NetBIOS name with which it is installed is changed from empty string to name determined based on leading component of DNS domain name, although this change is not announced nor documented and can only be detected by ldapsearch for ipaNTFlatName attribute.

IPA 4.4.0, IPA 4.3.2


$ sudo ipa-adtrust-install -U --enable-compat --netbios-name="" -a Secret123 --add-sids

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
  [1/23]: stopping smbd
  [2/23]: creating samba domain object
  [3/23]: creating samba config registry
  [4/23]: writing samba config file
  [5/23]: adding cifs Kerberos principal
  [6/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [7/23]: check for cifs services defined on other replicas
  [8/23]: adding cifs principal to S4U2Proxy targets
  [9/23]: adding admin(group) SIDs
  [10/23]: adding RID bases
  [11/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [12/23]: activating CLDAP plugin
  [13/23]: activating sidgen task
  [14/23]: configuring smbd to start on boot
  [15/23]: adding special DNS service records
  [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin
  [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [18/23]: adding fallback group
  [19/23]: adding Default Trust View
  [20/23]: setting SELinux booleans
  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

Setup complete

You must make sure these network ports are open:
    TCP Ports:
      * 135: epmap
      * 138: netbios-dgm
      * 139: netbios-ssn
      * 445: microsoft-ds
      * 1024..1300: epmap listener range
    UDP Ports:
      * 138: netbios-dgm
      * 139: netbios-ssn
      * 389: (C)LDAP
      * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details


Check which NetBIOS name was set:

$ ldapsearch -Y GSSAPI '(ipaNTFlatName=*)'
ipaNTFlatName: DOM-200

The patch (https://github.com/freeipa/freeipa/pull/24) will help with testing of 4-3 branch:


  • 2c7b7b3 Raise error when running ipa-adtrust-install with empty netbios--name


  • 6064b12 Raise error when running ipa-adtrust-install with empty netbios--name

Metadata Update from @lryznaro:
- Issue assigned to lryznaro
- Issue set to the milestone: FreeIPA 4.3.3

7 years ago

Login to comment on this ticket.