|Summary:||realm can't join an AD if AD admin password contains special characters|
|Component:||adcli||Assignee:||Stef Walter <stefw>|
|Status:||NEW ---||QA Contact:|
|i915 platform:||i915 features:|
Same error with kinit before realm
Azerty4 passaword works, not ²&é"'³1234 password
Description david.vantyghem 2017-02-04 15:21:43 UTC
Created attachment 129337 [details] Password error I'm using this command for joining a Windows 2008 server AD from a Linux Mint 18.1 computer : sudo realm join -v --user=Administrateur --client-software=sssd 2008-STANDARD.NUMOPEN I've got this error i the AD admin password contains special characters (password = ²&é"'³1234), it works well if not : ! Couldn't authenticate as : Administrateur@2008-STANDARD.NUMOPEN: Preauthentication failed adcli: couldn't connect to 2008-standard.numopen domain : Couldn't authenticate as : Administrateur@2008-STANDARD.NUMOPEN: Preauthentication failed
Comment 1 david.vantyghem 2017-08-27 20:05:46 UTC
To reproduce the bug : http://www.numopen.fr/Integrer-un-ordinateur-avec-Linux-Mint-MATE-dans-un-domaine-Windows (sorry, it's in french)
Comment 2 Sumit Bose 2017-08-28 06:51:34 UTC
To which value is the LANG environment variable set when you call the realm command? As a workaround you might want to try sudo su kinit Administrateur@2008-STANDARD.NUMOPEN realm join -v --client-software=sssd 2008-STANDARD.NUMOPEN HTH bye, Sumit
Comment 3 david.vantyghem 2017-09-02 16:38:51 UTC
Comment 4 david.vantyghem 2017-09-02 16:40:30 UTC
Created attachment 133942 [details] Same error with kinit before realm
Comment 5 Sumit Bose 2017-09-04 14:48:13 UTC
Do you know which character set is used on the Windows side and which keyboard layout was used when entering the password on the Windows side? Since it is only about special characters maybe echo ²&é"'³1234 | iconv -f UTF-8 -t CP1252 | kinit Administrateur@2008-STANDARD.NUMOPEN works? I tried to reproduce this with an English Windows 2008R2 and a German keyboard and all special German characters worked fine. You can also try to check the other way round be first setting a password without special French characters and then using 'kpasswd' on the Linux side to set a new password with special characters. After that verify that 'kinit' on the Linux side now works and then try to login with the new password on a Windows desktop. Please note that I think there is a fair chance that now authentication on the Windows side might fail so please make sure you can reset the password on the Windows side if needed.
Comment 6 david.vantyghem 2017-09-10 13:02:14 UTC
My Linux Mint MATE and my Windows server 2008 are installed on VirtualBox. So, I can test Kerberos joigning with normal password (it works) and then, change the password on Windows server (it doesn't works with ²&é"'³1234 ) and reuse the initial Linux Mint installation. http://www.numopen.fr/Integrer-un-ordinateur-avec-Linux-Mint-MATE-dans-un-domaine-Windows If you want to reproduce the bug, I can give you my Virtualbox files. Send to me a USB stick and your postal adress (my internet connexion is too slow).
Comment 7 david.vantyghem 2017-09-10 13:06:06 UTC
Of course, I can login as Administrateur user (it's the french name of Administrator default account on Windows server 2008) on the windows server with ²&é"'³1234 password but not from Linux Mint with Kerberos.
Comment 8 david.vantyghem 2017-09-17 09:21:16 UTC
> Do you know which character set is used on the Windows side and which > keyboard layout was used when entering the password on the Windows side? How can I see these parameters in Windows ? Could you help me ?
Comment 9 david.vantyghem 2017-10-09 20:49:47 UTC
I tested these commands : echo ²\&é\"\'³1234 | iconv -f UTF-8 -t CP1252 | kinit Administrateur@2008-STANDARD.NUMOPEN -> error I changed the Administrateur password on Windows server to Azerty3 and after, to Azerty4 (because Azerty3 expired) : echo Azerty4 | iconv -f UTF-8 -t CP1252 | kinit Administrateur@2008-STANDARD.NUMOPEN -> success See screenshot joined.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.