Bug 1004823
| Summary: | join fails with adlci on ppc64 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
| Component: | adcli | Assignee: | Stef Walter <stefw> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Patrik Kis <pkis> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dspurek, pkis |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | ppc64 | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | adcli-0.7.4-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 11:55:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Patrik Kis
2013-09-05 14:41:20 UTC
It seems that the issue is caused by adcli directly: # adcli -v delete-computer --domain=ad.baseos.qe --domain-controller=10.34.37.22 ibm-p750e-02-lp.ad.baseos.qe * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: IBM-P750E-02-LP * Calculated domain realm from name: AD.BASEOS.QE * Sending cldap pings to domain controller: 10.34.37.22 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-97OXE6/krb5.d/adcli-krb5-conf-5ycpN2 Password for Administrator.QE: * Authenticated as user: Administrator.QE ! Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found adcli: couldn't connect to ad.baseos.qe domain: Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found Please try the following commands: $ kinit Administrator.QE $ ldapwhoami -H ldap://sec-ad1.ad.baseos.qe -Y GSSAPI These should complete successfully and output your login name. (In reply to Stef Walter from comment #4) > Please try the following commands: > > $ kinit Administrator.QE > $ ldapwhoami -H ldap://sec-ad1.ad.baseos.qe -Y GSSAPI > > These should complete successfully and output your login name. I get different output on ppc64 and s390x, but I'd say because it used different addresses: PPC64: # kinit Administrator.QE Password for Administrator.QE: # ldapwhoami -H ldap://sec-ad1.ad.baseos.qe -Y GSSAPI SASL/GSSAPI authentication started SASL username: Administrator.QE SASL SSF: 56 SASL data security layer installed. u:AD\Administrator # # adcli -v delete-computer --domain=ad.baseos.qe --domain-controller=10.34.37.22 `hostname` * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: IBM-P720-01-LP4 * Calculated domain realm from name: AD.BASEOS.QE * Sending cldap pings to domain controller: 10.34.37.22 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-Dq4vXj/krb5.d/adcli-krb5-conf-UKAUnb Password for Administrator.QE: * Authenticated as user: Administrator.QE ! Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found adcli: couldn't connect to ad.baseos.qe domain: Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found S390x: # kinit Administrator.QE Password for Administrator.QE: # ldapwhoami -H ldap://sec-ad1.ad.baseos.qe -Y GSSAPI ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found # adcli -v delete-computer --domain=ad.baseos.qe --domain-controller=10.34.37.22 `hostname` * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: IBM-Z10-30 * Calculated domain realm from name: AD.BASEOS.QE * Sending cldap pings to domain controller: 10.34.37.22 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-t44PFw/krb5.d/adcli-krb5-conf-rjAyZI Password for Administrator.QE: * Authenticated as user: Administrator.QE ! Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found adcli: couldn't connect to ad.baseos.qe domain: Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found (In reply to Patrik Kis from comment #5) > S390x: > > # kinit Administrator.QE > Password for Administrator.QE: > # ldapwhoami -H ldap://sec-ad1.ad.baseos.qe -Y GSSAPI > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: No worthy mechs found So on s390x this seems broken in openldap or krb5 gssapi. Ignoring s390x for this bug report. You may wish to file a separate bug report to follow up on this with those maintainers. On ppc64 this does seem like an adcli problem. Persuing... The s390x case was filed in bug 1005267 (openldap) Patch upstream for adcli. This fix looks ok at the first glance: # rpm -q adcli adcli-0.7.2-1.el7.ppc64 # adcli delete-computer -v --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.34.37.22 --login-user amy-admin ad.baseos.qe * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: PPC64-M00 * Using domain realm: ad.baseos.qe * Sending cldap pings to domain controller: 10.34.37.22 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-Gvo8f3/krb5.d/adcli-krb5-conf-93orYY Password for amy-admin.QE: * Authenticated as user: amy-admin.QE ! Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found adcli: couldn't connect to ad.baseos.qe domain: Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found # # # # # rpm -Uvh adcli-0.7.4-1.el7.ppc64.rpm Preparing... ################################# [100%] Updating / installing... 1:adcli-0.7.4-1.el7 ################################# [ 50%] Cleaning up / removing... 2:adcli-0.7.2-1.el7 ################################# [100%] # adcli delete-computer -v --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.34.37.22 --login-user amy-admin ad.baseos.qe * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: PPC64-M00 * Using domain realm: ad.baseos.qe * Sending cldap pings to domain controller: 10.34.37.22 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-eV0pj1/krb5.d/adcli-krb5-conf-SZUWoX Password for amy-admin.QE: * Authenticated as user: amy-admin.QE * Looked up short domain name: AD * Using fully qualified name: ppc64-m00.lab.eng.brq.redhat.com * Using domain name: ad.baseos.qe * Using computer account name: PPC64-M00 * Using domain realm: ad.baseos.qe * Using fully qualified name: ad.baseos.qe * Calculated computer account name from fqdn: AD * Computer account for AD$ does not exist ! No computer account for AD$ exists adcli: deleting ad.baseos.qe in ad.baseos.qe domain failed: No computer account for AD$ exists # This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |