Bug 62755

Summary: Create necessary principals in AD for keytab
Product: realmd Reporter: Stef Walter <stefw>
Component: GeneralAssignee: Stef Walter <stefw>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on: 54489    
Bug Blocks:    
Attachments: adcli: Streamline how extra account attributes are updated
Add --user-principal argument for joining domains
adcli: Add --user-principal argument for joining domains
Add the user-principal option and setting
Add the user-principal option and setting
Add the user-principal option and setting

Description Stef Walter 2013-03-26 11:04:37 UTC 
From Kaushik:

However, what I am missing is something similar to:
net ads join createupn=host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
-U Administrator

Other than DHCP201-126$ no other principals are created on the AD
Server. That means other principals existing in the keytab are of no use
unless they are separately created.

The keytab has the following entries:
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
   2 host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
   2 host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
   2 host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
   2 host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
   2 host/dhcp201-126@SSSDAD.COM
   2 host/dhcp201-126@SSSDAD.COM
   2 host/dhcp201-126@SSSDAD.COM
   2 host/dhcp201-126@SSSDAD.COM
   2 host/dhcp201-126@SSSDAD.COM
   2 DHCP201-126$@SSSDAD.COM
   2 DHCP201-126$@SSSDAD.COM
   2 DHCP201-126$@SSSDAD.COM
   2 DHCP201-126$@SSSDAD.COM
   2 DHCP201-126$@SSSDAD.COM

It will be useful, if realmd is capable of adding the principals that
are there in the keytab or have an option to add a customized principal
in the AD Server.
Comment 1 Stef Walter 2013-04-11 13:53:51 UTC 
Created attachment 77811 [details] [review]
adcli: Streamline how extra account attributes are updated
Comment 2 Stef Walter 2013-04-11 13:53:53 UTC 
Created attachment 77812 [details] [review]
Add --user-principal argument for joining domains
Comment 3 Stef Walter 2013-04-11 13:58:12 UTC 
Created attachment 77813 [details] [review]
adcli: Add --user-principal argument for joining domains
Comment 4 Stef Walter 2013-04-11 13:59:59 UTC 
(In reply to comment #0)
> From Kaushik:
> 
> However, what I am missing is something similar to:
> net ads join createupn=host/dhcp201-126.englab.pnq.redhat.com@SSSDAD.COM
> -U Administrator
> 
> Other than DHCP201-126$ no other principals are created on the AD
> Server. That means other principals existing in the keytab are of no use
> unless they are separately created.

Well they're useful as service principals, not user principals. But regardless I agree with this feature request.
Comment 5 Stef Walter 2013-04-11 15:57:16 UTC 
Created attachment 77824 [details] [review]
Add the user-principal option and setting
Comment 6 Stef Walter 2013-04-11 15:58:16 UTC 
Yassir, the realmd patch (last one) above, is ready for review, when you get a chance.
Comment 7 Stef Walter 2013-04-12 08:10:36 UTC 
Created attachment 77843 [details] [review]
Add the user-principal option and setting
Comment 8 Stef Walter 2013-04-12 14:09:40 UTC 
Created attachment 77882 [details] [review]
Add the user-principal option and setting

Updated to make this a realm specific option, rather than global.
Comment 9 Stef Walter 2013-04-26 13:15:18 UTC 
Attachment 77882 [details] pushed as d2846c0 - Add the user-principal option and setting
Comment 10 Stef Walter 2013-04-26 13:17:36 UTC 
Pushed adcli patches.

This timed out for review. But would like to get this tested on the test day,
so reviewed, tested and fixed up documentation.

Test like this:
https://fedoraproject.org/wiki/QA:Testcase_realmd_join_upn

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.