Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1411817
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: We have AD trust with example.test (AD domain) from our IPA servers using idm.test (IPA domain) root@idm3{~}: ipa-replica-manage -v list idm3.idm.test: master idm2.idm.test: master root@idm3{~}: Our AD servers are reporting Netlogin errors and spammed with Event Sentry alert messages, which seem to correspond with this log message. Jan 10 08:34:31 idm3 smbd[14606]: [2017/01/10 08:34:31.407852, 0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) Jan 10 08:34:31 idm3 smbd[14606]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLT-EXM01 machine account example.test. Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.1.1.x86_64 How reproducible: Always Steps to Reproduce: 1. Restarting ipa will always result with the messages listed above occurring the logs.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/632
Metadata Update from @pvoborni: - Issue assigned to frenaud (was: someone)
When a trust is established with AD, the AD server periodically calls NETR_SERVERPASSWORDSET2 and the operation fails with NT_STATUS_NOT_IMPLEMENTED (log in /var/log/samba/smbd.lsasd.xx):
[2017/03/24 10:30:18.736045, 1, pid=70262, effective(99, 99), real(99, 0)] ../librpc/ndr/ndr.c:450(ndr_print_function_debug) netr_ServerPasswordSet2: struct netr_ServerPasswordSet2 out: struct netr_ServerPasswordSet2 return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : ced899cf781997ca timestamp : (time_t)0 result : NT_STATUS_NOT_IMPLEMENTED
pdb_update_sam_account() is called but ipasam doesn't provide this function, meaning that the default samba implementation is used and returns NT_STATUS_NOT_IMPLEMENTED.
Note: setting NT hash only is a bit complicated because we should be expecting to synchronize both Kerberos and NT hash passwords for the same entry. Since this is trusted domain object entry, having them not in sync would cause broken trust operations for SSSD.
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
Login to comment on this ticket.