Bug 99676

Summary: realm can't join an AD if AD admin password contains special characters
Product: realmd Reporter: david.vantyghem
Component: adcliAssignee: Stef Walter <stefw>
Status: NEW --- QA Contact:
Severity: blocker    
Priority: highest CC: sbose
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Password error
Same error with kinit before realm

Description david.vantyghem 2017-02-04 15:21:43 UTC
Created attachment 129337 [details]
Password error

I'm using this command for joining a Windows 2008 server AD from a Linux Mint 18.1 computer :
sudo realm join -v --user=Administrateur --client-software=sssd 2008-STANDARD.NUMOPEN

I've got this error i the AD admin password contains special characters (password = ²&é"'³1234), it works well if not :

! Couldn't authenticate as : Administrateur@2008-STANDARD.NUMOPEN: Preauthentication failed
adcli: couldn't connect to 2008-standard.numopen domain : Couldn't authenticate as : Administrateur@2008-STANDARD.NUMOPEN: Preauthentication failed
Comment 1 david.vantyghem 2017-08-27 20:05:46 UTC
To reproduce the bug : http://www.numopen.fr/Integrer-un-ordinateur-avec-Linux-Mint-MATE-dans-un-domaine-Windows
(sorry, it's in french)
Comment 2 Sumit Bose 2017-08-28 06:51:34 UTC
To which value is the LANG environment variable set when you call the realm command?

As a workaround you might want to try

    sudo su
    kinit Administrateur@2008-STANDARD.NUMOPEN
    realm join -v --client-software=sssd 2008-STANDARD.NUMOPEN

HTH

bye,
Sumit
Comment 3 david.vantyghem 2017-09-02 16:38:51 UTC
LANG=fr_FR.UTF-8
Comment 4 david.vantyghem 2017-09-02 16:40:30 UTC
Created attachment 133942 [details]
Same error with kinit before realm
Comment 5 Sumit Bose 2017-09-04 14:48:13 UTC
Do you know which character set is used on the Windows side and which keyboard layout was used when entering the password on the Windows side?

Since it is only about special characters maybe

    echo ²&é"'³1234 | iconv -f UTF-8 -t CP1252 | kinit Administrateur@2008-STANDARD.NUMOPEN

works?

I tried to reproduce this with an English Windows 2008R2 and a German keyboard and all special German characters worked fine.

You can also try to check the other way round be first setting a password without special French characters and then using 'kpasswd' on the Linux side to set a new password with special characters. After that verify that 'kinit' on the Linux side now works and then try to login with the new password on a Windows desktop. Please note that I think there is a fair chance that now authentication on the Windows side might fail so please make sure you can reset the password on the Windows side if needed.
Comment 6 david.vantyghem 2017-09-10 13:02:14 UTC
My Linux Mint MATE and my Windows server 2008 are installed on VirtualBox.
So, I can test Kerberos joigning with normal password (it works) and then, change the password on Windows server (it doesn't works with ²&é"'³1234 ) and reuse the initial Linux Mint installation.
http://www.numopen.fr/Integrer-un-ordinateur-avec-Linux-Mint-MATE-dans-un-domaine-Windows

If you want to reproduce the bug, I can give you my Virtualbox files. Send to me a USB stick and your postal adress (my internet connexion is too slow).
Comment 7 david.vantyghem 2017-09-10 13:06:06 UTC
Of course, I can login as Administrateur user (it's the french name of Administrator default account on Windows server 2008) on the windows server with ²&é"'³1234 password but not from Linux Mint with Kerberos.
Comment 8 david.vantyghem 2017-09-17 09:21:16 UTC
> Do you know which character set is used on the Windows side and which
> keyboard layout was used when entering the password on the Windows side?

How can I see these parameters in Windows ? Could you help me ?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.