Bug 1258488

Summary: Join to AD with adcli and defined computer-ou fails
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: realmdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: ebenes, ovasik, peljasz, pkis, sbose, stefw
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: realmd-0.16.1-6.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:46:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2015-08-31 13:28:33 UTC 
Description of problem:
Not sure if this is adlci or realmd issue, but I have an impression that adcli does not fully support this option. So either it should be implemented/fixed in adcli or prevent realmd to use predeficed computer-ou and adcli for join.

Version-Release number of selected component (if applicable):
adcli-0.7.5-4.el7
realmd-0.16.1-3.el7
but the old realmd-0.14.6-6.el7 has this issue too

How reproducible:
always

Steps to Reproduce:
echo -n <password> | adcli join --verbose --domain <ad_domain> --domain-realm <AD_REALM> --domain-controller <ad_ip> --login-type user --login-user <login_user> --computer-ou OU=<OU> --stdin-password

Actual results:

Either

 ! Couldn't lookup computer container: 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0

adcli: joining domain ad.baseos.qe failed: Couldn't lookup computer container: 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 

if the computer record does not exist in AD at all, or if it exists then the following error is displayed:

adcli: joining domain <ad_domain> failed: The computer account <machine_hostname> already exists, but is not in the desired organizational unit.
Comment 2 Patrik Kis 2015-08-31 13:32:10 UTC 
NOTE, that in realmd-0.16.1-3.el7 adcli become the default membership software so this issue might be more visible.
Changing the target release to RHEL-7.2, but leave the decision to fix/postpone to devel as the issue is not that critical and have a en easy workaround (--membership-software=samba).
Comment 5 Stef Walter 2015-09-07 11:09:21 UTC 
The adcli command line is incorrect. The adcli documentation states:

       -O, --domain-ou=OU=xxx
           The full distinguished name of the OU in which to create the computer
           account. If not specified then the computer account will be
           created in a default location.

In other words, an argument like OU=TestOU is an incomplete OU. If you are driving adcli directly, please specify the full OU, like this: OU=TestOU,DC=example,DC=com
Comment 6 Stef Walter 2015-09-07 11:14:20 UTC 
So workaround for this is to specify a full DN to the realm client --computer-ou command.

So I think this is a realmd bug. It should perform the qualification automatically before handing it off to adcli.
Comment 8 Stef Walter 2015-09-07 11:51:37 UTC 
Fixed upstream here: http://cgit.freedesktop.org/realmd/realmd/commit/?id=3db35ad73ec57c8af499a0dcef96ffd4da914236
Comment 17 lejeczek 2016-05-12 12:57:40 UTC 
it would be nice to have it fixed, more than half a year later and admins still bog down there.
Comment 21 errata-xmlrpc 2016-11-04 07:46:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2511.html