Bug 1001667

Summary: realmd fails to join if hostname has more than 15 chars
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED CURRENTRELEASE QA Contact: David Spurek <dspurek>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 7.0CC: dlackey, dspurek, ebenes, jgalipea, jhrozek, pkis, ssorce
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: adcli-0.7.4-1.el7, realmd-0.14.6-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:30:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2013-08-27 13:40:26 UTC 
Description of problem:
realmd fails to join if hostname has more than 15 chars

Version-Release number of selected component (if applicable):
realmd-0.14.5-1.el7

How reproducible:
Always

Steps to Reproduce:
1. Hostname is more than 15 chars.
2. Try to join to AD using realmd


Actual results:
realmd fails to join to AD Server.

# realm join -v -U Administrator --user-principal=host/kautest-sssdclient-vm100.example.com sssdad2012.com * Resolving: _ldap._tcp.sssdad2012.com
 * Performing LDAP DSE lookup on: 192.168.100.10
 * Successfully discovered: sssdad2012.com
Password for Administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.5O271W -U Administrator ads join sssdad2012.com createupn=host/kautest-sssdclient-vm100.example.com
Invalid configuration.  Exiting....
Our netbios name can be at most 15 chars long, "KAUTEST-SSSDCLIENT-VM100" is 24 chars long
Failed to join domain: The format of the specified computer name is invalid.
 ! Joining the domain sssdad2012.com failed
realm: Couldn't join realm: Joining the domain sssdad2012.com failed


Expected results:
Similar to "net" tool, wherein we can workaround this by using "netbios name = <Upto 15 char name>" in smb.conf, we would need a similar option to pass the netbios name to realmd tool.
Comment 3 Stef Walter 2013-09-06 07:26:39 UTC 
Doing research on this because it's not as simple as one might imagine. The name Netbios of a machine is used as a kerberos computer account name in AD.
Comment 4 Stef Walter 2013-09-06 07:27:38 UTC 
An example computer account on a Windows client:

Full name: this-is-a-long-computer-name-more-than-15
Automatically truncated name: THIS-IS-A-LONG-

# THIS-IS-A-LONG-, Computers, borg.thewalter.lan
dn: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: THIS-IS-A-LONG-
distinguishedName: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
instanceType: 4
whenCreated: 20130906072132.0Z
whenChanged: 20130906072222.0Z
uSNCreated: 184419
uSNChanged: 184432
name: THIS-IS-A-LONG-
objectGUID:: 80gHyB9OmkSoxfX0nFPRgA==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130229257508468000
localPolicyFlags: 0
pwdLastSet: 130229256927680000
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA9/w0hJ1SMagNN9rNmQQAAA==
accountExpires: 9223372036854775807
logonCount: 6
sAMAccountName: THIS-IS-A-LONG-$
sAMAccountType: 805306369
operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1
dNSHostName: this-is-a-long-computer-name-more-than-15.borg.thewalter.lan
servicePrincipalName: RestrictedKrbHost/this-is-a-long-computer-name-more-than
 -15.borg.thewalter.lan
servicePrincipalName: HOST/this-is-a-long-computer-name-more-than-15.borg.thew
 alter.lan
servicePrincipalName: RestrictedKrbHost/THIS-IS-A-LONG-
servicePrincipalName: HOST/THIS-IS-A-LONG-
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=borg,DC=thewalter,DC
 =lan
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130229256933764000
msDS-SupportedEncryptionTypes: 28
Comment 5 Stef Walter 2013-09-06 07:28:59 UTC 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724220(v=vs.85).aspx?ppud=4
Comment 6 Stef Walter 2013-09-06 08:02:37 UTC 
If a second windows client joins with the same first 15 characters, the computer account overwrites the first. This is the same behavior of joining a second computer with an identical name.

In the future we will have user interfaces that help administrators choose an appropriate non-conflicting name when joining a domain. However for the time being I believe we should just mimic the Windows behavior. 

Account after second windows client has been joined (first no longer present):

# THIS-IS-A-LONG-, Computers, borg.thewalter.lan
dn: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: THIS-IS-A-LONG-
distinguishedName: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
instanceType: 4
whenCreated: 20130906072132.0Z
whenChanged: 20130906080011.0Z
uSNCreated: 184419
uSNChanged: 184457
name: THIS-IS-A-LONG-
objectGUID:: 80gHyB9OmkSoxfX0nFPRgA==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130229280105224000
localPolicyFlags: 0
pwdLastSet: 130229280053276000
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA9/w0hJ1SMagNN9rNmQQAAA==
accountExpires: 9223372036854775807
logonCount: 8
sAMAccountName: THIS-IS-A-LONG-$
sAMAccountType: 805306369
operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1
dNSHostName: this-is-a-long-computer-name-conflict.borg.thewalter.lan
servicePrincipalName: RestrictedKrbHost/this-is-a-long-computer-name-conflict.
 borg.thewalter.lan
servicePrincipalName: HOST/this-is-a-long-computer-name-conflict.borg.thewalte
 r.lan
servicePrincipalName: RestrictedKrbHost/THIS-IS-A-LONG-
servicePrincipalName: HOST/THIS-IS-A-LONG-
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=borg,DC=thewalter,DC
 =lan
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130229256933764000
msDS-SupportedEncryptionTypes: 28
Comment 7 Stef Walter 2013-09-06 08:10:10 UTC 
Jakub, if we do a domain join with a truncated hostname (see above) then I guess we'd need to explicitly tell sssd.conf about that truncation, right?
Comment 8 Jakub Hrozek 2013-09-06 09:31:45 UTC 
(In reply to Stef Walter from comment #7)
> Jakub, if we do a domain join with a truncated hostname (see above) then I
> guess we'd need to explicitly tell sssd.conf about that truncation, right?

Seems that the DNS name reflects the real long name, while the sAMAccoutName is truncated.

I don't see other way rather than setting ldap_sasl_authid to sAMAccoutName. In the example above, that would be:
ldap_sasl_authid = THIS-IS-A-LONG-$

That way, the Kerberos auth will keep working as it'll select the right principal from the keytab, while stuff like DNS dynamic updates can keep using the long host name.
Comment 9 Stef Walter 2013-09-06 12:33:45 UTC 
Patches for adcli and realmd upstream.
Comment 10 Patrik Kis 2013-09-06 14:22:42 UTC 
Stef,
can you please describe how this issue will be fixed in order to be able to verify it? Does it introduce a new parameter to realm/adcli? Thank you.
Comment 11 Stef Walter 2013-09-06 14:33:28 UTC 
Use of Active Directory with computer host names longer than 15 characters is not best practice in production.

But in general we use the same algorithm as Windows clients when calculating netbios host names. We take the first dotted portion of the FQDN, convert to upper case, and truncate to 15 characters.

Fix for adcli:

 * When calculating a netbios computer account name from FQDN, truncate to first
   15 characters. The truncated computer account name will be visible using
   --show-details join argument.
 * Above will not happen if a long --computer-name was explicitly specified. In
   that the join will just fail with the AD error code.

Fix for realmd:

 * During discovery determine whether we need to explicitly control our netbios
   name. If truncation must occur, make note of this.
 * If explicit control of netbios name is active:
   * During samba join, set 'netbios name' during join.
   * When configuring winbind, set 'netbios name' in smb.conf
   * When configuring sssd set 'ldap_sasl_authid' in sssd.conf to netbios
     name with a dollar sign after it, to tell sssd about the computer account
     name that doesn't match the host name.

In the future more work will be done wrt to helping administrators choose appropriate and non-conflicting host names. But above should fix the issue for now, and is equivalent to Windows behavior.
Comment 12 Stef Walter 2013-09-06 14:40:26 UTC 
Deon, this may be interested for documentation:

 * The domain accounts of computers that have identical host names will
   overwrite each other when joining the domain.
   * Since domain administrative credentials are required in these cases, it is
     assumed that the administrator is aware of this and the action is 
     intentional (ie: such as to replace a previous computer account with
     the same name).
 * The above is *also* true when the first 15 characters of the name are
   identical between two host names.

This is the same behavior as Windows Server domain members.

Future work will refine behavior in this area, but such work will not occur within the RHEL 7.0 time frame.
Comment 15 Ludek Smid 2014-06-13 13:30:10 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.