Bug 91668 - adcli fails with "Couldn't authenticate to active directory: (...) Message stream modified"
Summary: adcli fails with "Couldn't authenticate to active directory: (...) Message st...
Status: RESOLVED MOVED
Alias: None
Product: realmd
Classification: Unclassified
Component: adcli (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-17 17:48 UTC by Philipp Wagner
Modified: 2018-10-12 21:19 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
adcli log (2.39 KB, text/plain)
2015-08-17 17:48 UTC, Philipp Wagner
Details
msktutil log (7.60 KB, text/plain)
2015-08-17 17:48 UTC, Philipp Wagner
Details

Description Philipp Wagner 2015-08-17 17:48:05 UTC
Created attachment 117737 [details]
adcli log

I'm trying to pre-create a computer account in AD with adcli using the command line:

adcli preset-computer --verbose --login-ccache --domain=ads.mwn.de --domain-ou='OU=Linux,OU=Computers,OU=LIS,OU=EI,OU=TU,OU=MWN' --domain-controller=mwndc.ads.mwn.de TUEILIS-ldtest2

This fails with the error message:

adcli: couldn't connect to ads.mwn.de domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Message stream modified)

I've attached the full log of the adcli call as attachment, with KRB5_TRACE=/dev/stderr enabled for full Kerberos logging.

Currently we are using msktutil to pre-create the computer accounts. This tool creates the accounts without problem in the same setup. I've attached the full log of that process as well for reference.

Notable things about our domain setup:

- realm is ads.mwn.de, hostnames of the PCs are *.lis.ei.tum.de
- the computer name is not equal to the hostname. In the example here, the FQDN is ldtest2.lis.ei.tum.de, the computername (netbios name) is TUEILIS-ldtest2. [This is just a side remark, I don't think it's currently possible to realize this in adcli. I will look into this as soon as this problem here is resolved.]


Googling around has led me to the impression that the error message "Message stream modified" is usually associated with capitalization problems -- unfortunately I haven't been able to figure out where. 

Things I've tried:
- Made sure the temporary krb.conf is identical to the one written by msktutil: no change
- Used the current git version of adcli, as opposed to the Ubuntu 14.04 version (0.7.5): no change
- Played around with the --domain and --realm ADS.MWN.DE options: no change
- Tried the other tools (such as adcli join): same error

I'm a bit lost on this one. I'm trying to use adcli since msktutil doesn't allow to delete and reset computer accounts, and I need that feature.

Any ideas?
Comment 1 Philipp Wagner 2015-08-17 17:48:32 UTC
Created attachment 117738 [details]
msktutil log
Comment 2 Stef Walter 2015-08-19 09:46:10 UTC
I've not seen that the 'Message stream modified' message before. However it sounds like it may have to do with GSS sealing.
Comment 3 Philipp Wagner 2015-08-19 16:19:15 UTC
Stef, is there anything you think would be a good starting point for further investigation based on this idea?
Comment 4 Philipp Wagner 2016-04-22 15:40:03 UTC
Debugging by luck is sometimes successful :-)


This still does not work (as before):

$ adcli preset-computer --verbose --login-ccache --domain=ads.mwn.de --domain-controller=mwndc.ads.mwn.de TUEILIS-ldtest2
 * Using domain name: ads.mwn.de
 * Calculated computer account name from fqdn: PHILIPP
 * Calculated domain realm from name: ADS.MWN.DE
 * Sending netlogon pings to domain controller: cldap://10.156.54.16
 * Sending netlogon pings to domain controller: cldap://10.156.54.14
 * Sending netlogon pings to domain controller: cldap://10.156.54.15
 * Received NetLogon info from: BADWLRZ-SWDC6.ads.mwn.de
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-nJDjpQ/krb5.d/adcli-krb5-conf-hZb6Ec
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Message stream modified)
adcli: couldn't connect to ads.mwn.de domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Message stream modified)

BUT the following works:

$ adcli preset-computer --verbose --login-ccache --domain=ads.mwn.de --domain-controller=BADWLRZ-SWDC6.ads.mwn.de TUEILIS-ldtest2
 * Using domain name: ads.mwn.de
 * Calculated computer account name from fqdn: PHILIPP
 * Calculated domain realm from name: ADS.MWN.DE
 * Sending netlogon pings to domain controller: ldap://[2001:4ca0:0:108::16]
 * Sending netlogon pings to domain controller: cldap://10.156.54.16
 * Received NetLogon info from: BADWLRZ-SWDC6.ads.mwn.de
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-ThgA1E/krb5.d/adcli-krb5-conf-VFBqC7
 * Looked up short domain name: ADS
...

Notice the different domain controller specified. mwndc.ads.mwn.de is using round robin DNS to distribute load:

$ dig mwndc.ads.mwn.de
;; QUESTION SECTION:
;mwndc.ads.mwn.de.              IN      A

;; ANSWER SECTION:
MWNDC.ads.mwn.de.       86400   IN      A       10.156.54.16
MWNDC.ads.mwn.de.       86400   IN      A       10.156.54.15
MWNDC.ads.mwn.de.       86400   IN      A       10.156.54.14



ALSO WORKING is the auto-discovery by leaving out the domain-controller option:
$ adcli preset-computer --verbose --login-ccache --domain=ads.mwn.de TUEILIS-ldtest2



With this I had a deeper look at the differences between msktutil and adcli, but (TL;DR) I didn't find the final reason.
- msktutil writes a different krb5.conf. But making the one from adcli look like the one from msktutil doesn't change anything.
- msktutil ldap connects mwndc.ads.mwn.de domain, adcli to BADWLRZ-SWDC6.ads.mwn.de. Making adcli also connect to mwndc.ads.mwn.de didn't change anything either.

I'm running out of time for further debugging here, and since I know a workaround by now, I'll leave it for now.



But if you have any ideas or patches, I'll be happy to test them.
Comment 5 GitLab Migration User 2018-10-12 21:19:06 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/realmd/adcli/issues/9.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.