Bug 86107

Summary: adcli not using fqdn
Product: realmd Reporter: Marc H. Thoben <marc>
Component: adcliAssignee: Stef Walter <stefw>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium CC: sbose
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Marc H. Thoben 2014-11-10 11:56:54 UTC
adcli uses gethostname() to determine the FQDN, which only returns a short hostname. Maybe that's a misconfiguration on my part (GNU/Debian, libc6 2.19)? Googling, though, makes me believe that gethostname() on its own never returns a FQDN. That causes an error when adcli tries to register 2 host principles (host/<netbiosname> & host/<fqdn>) in the servicePrincipleName attribute, which are equal to windows:

root@ahtest1:~# adcli join --verbose --domain mpipz.mpg.de --domain-realm MPIPZ.MPG.DE --domain-controller 10.1.0.224 --login-type user --login-user mthoben_local --prompt-password
 * Using domain name: mpipz.mpg.de
 * Calculated computer account name from fqdn: AHTEST1
 * Using domain realm: mpipz.mpg.de
 * Sending netlogon pings to domain controller: ldap://10.1.0.224
 * Received NetLogon info from: ficus.mpipz.mpg.de
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-klhkXh/krb5.d/adcli-krb5-conf-7YO8mq
Password for mthoben_local@MPIPZ.MPG.DE:
 * Authenticated as user: mthoben_local@MPIPZ.MPG.DE
 * Looked up short domain name: MPIPZ
 * Using fully qualified name: ahtest1 <================================================
 * Using domain name: mpipz.mpg.de
 * Using computer account name: AHTEST1
 * Using domain realm: mpipz.mpg.de
 * Calculated computer account name from fqdn: AHTEST1
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: ahtest1
 * Using domain name: mpipz.mpg.de
 * Using computer account name: AHTEST1
 * Using domain realm: mpipz.mpg.de
 * Looked up short domain name: MPIPZ
 * Computer account for AHTEST1$ does not exist
 * Found well known computer container at: CN=Computers,DC=mpipz,DC=mpg,DC=de
 * Calculated computer account: CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de
 * Created computer account: CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 ! Couldn't set service principals on computer account CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de: 00002083: AtrErr: DSID-03151331, #1:
    0: 00002083: DSID-03151331, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName)

 * Discovered which keytab salt to use
 * Added the entries to the keytab: AHTEST1$@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: HOST/AHTEST1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <================================================
 * Added the entries to the keytab: HOST/ahtest1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <================================================
 * Added the entries to the keytab: RestrictedKrbHost/AHTEST1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <===================================
 * Added the entries to the keytab: RestrictedKrbHost/ahtest1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <===================================

In our case a "--host-fqdn" argument for realm (as adcli already has) would help. Or maybe replacing the call to gethostname() in adcli with something that is more resilient in figuring out the true FQDN.

Thanks for your help!
Comment 1 Stef Walter 2014-11-14 07:54:20 UTC
You can tell adcli about the FQDN (if it's not set as your host name) via the --host-fqdn option. See 'man adcli'

Does that fix the problem for you?
Comment 2 Marc H. Thoben 2014-11-14 08:49:52 UTC
Yes, adcli with --host-fqdn manages to create the domain accounts with the proper attributes. But of course, no configuration files for sssd are created then. Only "realm join" does that. And "realm" has no such feature yet to call adcli with --host-fqdn.

As a workaround I do the following:

1) realm join --verbose --client-software=sssd --server-software=active-directory --membership-software=adcli --user-principal=host/ahtest1.mpipz.mpg.de@MPIPZ.MPG.DE -U mthoben_local mpipz.mpg.de
2) adcli delete-computer  --verbose --domain mpipz.mpg.de --domain-realm MPIPZ.MPG.DE --domain-controller 10.1.0.224 --login-user mthoben_local --prompt-password ahtest1.mpipz.mpg.de
3) adcli join --verbose --domain mpipz.mpg.de --domain-realm MPIPZ.MPG.DE --domain-controller 10.1.0.224 --host-fqdn=ahtest1.mpipz.mpg.de --user-principal=host/ahtest1.mpipz.mpg.de@MPIPZ.MPG.DE --login-type user --login-user mthoben_local --prompt-password
4) systemctl restart sssd.service

Thanks for your help.
Comment 3 Sumit Bose 2016-05-20 12:16:57 UTC
Hi Stef,

do you think anything needs to be done for this ticket? I can see the following options:

- do nothing, just close the ticket
- realm just fails if gethostname() returns a short name and asks to set the FQDN
- realm gets a new option for the FQDN
- realm adds the domain name of the domain to join if gethostname() returns a short name
- a combination of the above options

Do you have a preference?

bye,
Sumit
Comment 4 Stef Walter 2016-05-20 12:19:21 UTC
(In reply to Sumit Bose from comment #3)
> Hi Stef,
> 
> do you think anything needs to be done for this ticket? I can see the
> following options:
> 
> - do nothing, just close the ticket
> - realm just fails if gethostname() returns a short name and asks to set the
> FQDN
> - realm gets a new option for the FQDN

This probably makes sense.

> - realm adds the domain name of the domain to join if gethostname() returns
> a short name

I like this one. Would it actually work?

But according to the description, it also seems like there's a bug in adcli where it registers duplicate servicePrincipalName entries (and keytab entries) when it thinks the netbios name and fqdn are identical.
Comment 5 Marcelo Módolo 2018-04-30 23:22:14 UTC
Hi!

I still (2018) encounter the same problem. In CentOS versions 7.7, RHEL 7.4, Ubuntu 16.04 and Ubuntu 18.04.

This problem also affects SSO. While the keytab is not recreated, SSO (ssh) can not be done.

When trying to ssh using the kerberos ticket and in verbose mode (ssh -vvv -K hostname) I get the message below:

"server not found in kerberos database"

Thanks,
Marcelo Módolo
Comment 6 GitLab Migration User 2018-10-12 21:18:34 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/realmd/adcli/issues/1.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.