Bug 1267319

Summary: adcli builds keytab incompatible with openssh GSSAPI
Product: [Fedora] Fedora EPEL Reporter: John Beranek <john>
Component: adcliAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: sgallagh, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: adcli-0.8.0-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-04 23:54:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Beranek 2015-09-29 15:46:30 UTC
Description of problem:

When adcli is used to join an AD domain creates a keytab (/etc/krb5.keytab) which is not compatible with logging in to the OpenSSH server using GSSAPI authentication

In particular it uses an SPN like:

HOST/server1.example.com

when openSSH expects:

host/server1.example.com

This problem has been fixed in upstream adcli, but is not in a released version. See:

https://bugs.freedesktop.org/show_bug.cgi?id=84749
http://cgit.freedesktop.org/realmd/adcli/commit/?id=ec132a3add4c41a9c1efa6c12b2c900df66151d1


Version-Release number of selected component (if applicable):

adcli-0.7.3-1.el6.x86_64

How reproducible:


Steps to Reproduce:
1.Delete /etc/krb5.keytab
2.Use 'adcli join example.com' to join the domain
3.Try to login to the machine from an AD-integrated Windows machine using something like GSSAPI-enabled PuTTY

Actual results:

User is prompted for a password

Expected results:

User can login with a password

Additional info:

Comment 1 John Beranek 2015-09-29 15:48:18 UTC
Correction to "Expected results", it should read:

User can login WITHOUT a password

Comment 2 John Beranek 2015-09-29 15:50:14 UTC
Workaround is to add something like the following to the "adcli join" command:

--user-principal="host/`hostname`@EXAMPLE.COM"

Comment 3 Fedora Update System 2015-10-19 10:34:52 UTC
adcli-0.7.6-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0fbdddc742

Comment 4 Fedora Update System 2015-10-19 16:24:38 UTC
adcli-0.7.6-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update adcli'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0fbdddc742

Comment 5 Fedora Update System 2015-12-17 13:45:33 UTC
adcli-0.8.0-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-bb1a6feaea

Comment 6 Fedora Update System 2015-12-18 14:19:36 UTC
adcli-0.8.0-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update adcli'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-bb1a6feaea

Comment 7 Fedora Update System 2016-01-04 23:54:11 UTC
adcli-0.8.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.