Bug 1370457

Summary: Make sure samba membership-software can use manually set NetBIOS name during 'realm leave --remove'
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: realmdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.3CC: lmiksik, mkosek, mmuehlfe, pcech, pkis, sbose, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: realmd-0.16.1-11.el7 Doc Type: Known Issue
Doc Text:
_realmd_ fails to remove the computer account from AD Red Hat Enterprise Linux uses Samba as default back end for Active Directory (AD) domain memberships. In this case, if you manually set a computer name using the "--computer-name" option with the "realm join" command, the account cannot be removed from AD when you leave the domain. To work around this problem, do not use the "--computer-name" option and instead add the computer name to the `/etc/realmd.conf` file. For example: [domain.example.com] computer-name = host_name With the workaround, the host is successfully joined to the domain and the account is automatically removed if you leave the domain using the "realm leave --remove" command.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:02:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1550132    

Description Sumit Bose 2016-08-26 11:30:27 UTC 
Description of problem:

Currently when using the Samba membership software (default with RHEL) a manually set computer name (NetBIOS name) which differs from the first part of the DNS hostname must be added to /etc/realmd.conf to be able to remove the host entry properly in AD while leaving the domain. See comments #10 and #11 in https://bugzilla.redhat.com/show_bug.cgi?id=1293390 for details.

It would be nice if realmd can determine the right name by parsing /etc/krb5.keytab and providing it to the Samba mebership software.
Comment 12 Sudhir Menon 2018-09-04 05:51:26 UTC 
Tested on Red Hat Enterprise Linux Client release 7.6 Beta (Maipo) using realmd-0.16.1-11.el7.x86_64 and Windows 2016 AD enviornment.


====Scenario1 (hostname with more than 15 characters====
[root@ipaclientfin03454 #]hostname
ipaclientfin03454.ipaad2016.test

[root@ipaclientfin03454 log]# realm -v join --user=administrator --client-software=sssd --membership-software=samba idm-qe-ipa-ci1.ipaad2016.test 
 * Resolving: _ldap._tcp.idm-qe-ipa-ci1.ipaad2016.test
 * Resolving: idm-qe-ipa-ci1.ipaad2016.test
 * Performing LDAP DSE lookup on: 
 * Successfully discovered: ipaad2016.test
Password for administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * Joining using a truncated netbios name: IPACLIENTFIN034
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.4AFPOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads join ipaad2016.test
Enter administrator's password: 
DNS update failed: NT_STATUS_INVALID_PARAMETER

Using short domain name -- IPAAD2016
Joined 'IPACLIENTFIN034' to dns domain 'ipaad2016.test'
No DNS domain configured for ipaclientfin034. Unable to perform DNS Update.
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.4AFPOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads keytab create
Enter administrator's password:Secret123

 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


[root@ipaclientfin03454 log]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=ipaclientfin034,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
dn: CN=IPACLIENTFIN034,CN=Computers,DC=ipaad2016,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: IPACLIENTFIN034
distinguishedName: CN=IPACLIENTFIN034,CN=Computers,DC=ipaad2016,DC=test
instanceType: 4
whenCreated: 20180903122842.0Z
whenChanged: 20180903122853.0Z
uSNCreated: 406778
uSNChanged: 406784
name: IPACLIENTFIN034
objectGUID:: AdbnXpi+wkirzjAN0nRtoA==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131804513677918269
localPolicyFlags: 0
pwdLastSet: 131804513243582646
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAANxZ3MMMmdt5x1jFfBSMAAA==
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: IPACLIENTFIN034$
sAMAccountType: 805306369
dNSHostName: ipaclientfin034.ipaad2016.test
servicePrincipalName: HOST/ipaclientfin034.ipaad2016.test
servicePrincipalName: HOST/IPACLIENTFIN034
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ipaad2016,DC=test
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131804513334025471
msDS-SupportedEncryptionTypes: 31


[root@ipaclientfin03454 log]# realm -v leave --remove --user=administrator
Password for administrator: 
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SC6EOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads leave
Enter administrator's password:***

Deleted account for 'IPACLIENTFIN034' in realm 'IPAAD2016.TEST'
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
No cache object matched the specified search
 ! Flushing the sssd cache failed
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service.
 * /usr/bin/systemctl stop sssd.service
 * Successfully unenrolled machine from realm


[root@ipaclientfin03454 log]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=ipaclientfin03454,CN=Computers,dc=ad,dc=ipaad2016,dc=test -s sub '*'
No such object (32)
Matched DN: DC=ipaad2016,DC=test
Additional information: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=ipaad2016,DC=test'

[root@ipaclientfin03454 log]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=ipaclientfin034,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
No such object (32)
Matched DN: CN=Computers,DC=ipaad2016,DC=test
Additional information: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Computers,DC=ipaad2016,DC=test'

==== Scenario2 using computer-name option ===
[root@ipaclientfin03454 ~]# realm -v join --user=administrator --client-software=sssd --membership-software=samba --computer-name=bz1370457 idm-qe-ipa-ci1.ipaad2016.test
 * Resolving: _ldap._tcp.idm-qe-ipa-ci1.ipaad2016.test
 * Resolving: idm-qe-ipa-ci1.ipaad2016.test
 * Performing LDAP DSE lookup on: 
 * Successfully discovered: ipaad2016.test
Password for administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * Joining using a manual netbios name: bz1370457
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.PFGKOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads join ipaad2016.test
Enter administrator's password:
DNS update failed: NT_STATUS_INVALID_PARAMETER

Using short domain name -- IPAAD2016
Joined 'BZ1370457' to dns domain 'ipaad2016.test'
No DNS domain configured for bz1370457. Unable to perform DNS Update.
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.PFGKOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads keytab create
Enter administrator's password:

 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


[root@ipaclientfin03454 ~]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=bz1370457,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
dn: CN=BZ1370457,CN=Computers,DC=ipaad2016,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: BZ1370457
distinguishedName: CN=BZ1370457,CN=Computers,DC=ipaad2016,DC=test
instanceType: 4
whenCreated: 20180903140130.0Z
whenChanged: 20180903140145.0Z
uSNCreated: 407280
uSNChanged: 407286
name: BZ1370457
objectGUID:: va0OlMKNyECZlJIFUCVACg==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131804569406673518
localPolicyFlags: 0
pwdLastSet: 131804568920262681
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAANxZ3MMMmdt5x1jFfGiMAAA==
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: BZ1370457$
sAMAccountType: 805306369
dNSHostName: bz1370457.ipaad2016.test
servicePrincipalName: HOST/bz1370457.ipaad2016.test
servicePrincipalName: HOST/BZ1370457
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ipaad2016,DC=test
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131804569058866207
msDS-SupportedEncryptionTypes: 31

[root@ipaclientfin03454 ~]# realm -v leave --remove --user=administrator
Password for administrator: 
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.XYMBOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads leave
Enter administrator's password:

Deleted account for 'BZ1370457' in realm 'IPAAD2016.TEST'
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
No cache object matched the specified search
 ! Flushing the sssd cache failed
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service.
 * /usr/bin/systemctl stop sssd.service
 * Successfully unenrolled machine from realm

[root@ipaclientfin03454 ~]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=bz1370457,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
No such object (32)
Matched DN: CN=Computers,DC=ipaad2016,DC=test
Additional information: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Computers,DC=ipaad2016,DC=test'
Comment 14 errata-xmlrpc 2018-10-30 11:02:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3190