Bug 1475322

Summary: Suggested realm command to join AD with a specific user doesn't work
Product: Red Hat Enterprise Linux 7 Reporter: Benjamin Bellec <b.bellec>
Component: doc-Windows_Integration_GuideAssignee: Filip Hanzelka <fhanzelk>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: high    
Version: 7.3CC: b.bellec, fhanzelk, lmanasko, rhel-docs
Target Milestone: rcKeywords: Documentation, EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-06 09:33:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Benjamin Bellec 2017-07-26 12:38:09 UTC 
Description of problem:
The problem lies is the part "3.4. Discovering and Joining Identity Domains", and sub-part " Joining a Domain".

The example command to join the AD with a specific user is:
# realm join ad.example.com -U 'AD.EXAMPLE.COM\user'

In my case, if I specify explicitly the 'AD.EXAMPLE.COM' domain, it doesn't work.
I have to leave the login alone like this:
# realm join ad.example.com -U 'user'


Version-Release number of selected component (if applicable):
Revision 7.0-31

How reproducible:
Clean CentOS 7.3 installation.
Kerberos not (yet) configured on the client machine trying to join the AD.

Steps to Reproduce:
1. Execute: realm join MYDOMAIN.LOCAL -U 'MYDOMAIN.LOCAL\administrator'
2.
3.

Actual results:
Command output is:
Password for MYDOMAIN.LOCAL\administrator:
See: journalctl REALMD_OPERATION=r9449.17528
realm: Couldn't join realm: Extracting host keytab failed

The "journalctl REALMD_OPERATION=r9449.17528" command says:
juil. 26 12:02:35 samba realmd[17519]:  * Resolving: _ldap._tcp.mydomain.local
juil. 26 12:02:35 samba realmd[17519]:  * Performing LDAP DSE lookup on: 192.168.1.7
juil. 26 12:02:35 samba realmd[17519]:  * Performing LDAP DSE lookup on: 192.168.1.2
juil. 26 12:02:35 samba realmd[17519]:  * Successfully discovered: MYDOMAIN.local
juil. 26 12:02:37 samba realmd[17519]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
juil. 26 12:02:37 samba realmd[17519]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QN4S3Y -U MYDOMAIN\administrator ads join MYDOMAIN.local
juil. 26 12:02:38 samba realmd[17519]: Enter MYDOMAIN\administrator's password:DNS update failed: NT_STATUS_INVALID_PARAMETER
juil. 26 12:02:38 samba realmd[17519]:
juil. 26 12:02:38 samba realmd[17519]: Using short domain name -- MYDOMAIN
juil. 26 12:02:38 samba realmd[17519]: Joined 'SAMBA' to dns domain 'MYDOMAIN.local'
juil. 26 12:02:38 samba realmd[17519]: No DNS domain configured for samba. Unable to perform DNS Update.
juil. 26 12:02:38 samba realmd[17519]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QN4S3Y -U MYDOMAIN\administrator ads keytab create
juil. 26 12:02:38 samba realmd[17519]: Enter MYDOMAIN\administrator's password:kerberos_kinit_password MYDOMAIN\administrator failed: Client not found in Kerberos database
juil. 26 12:02:38 samba realmd[17519]: kerberos_kinit_password MYDOMAIN\administrator failed: Client not found in Kerberos database
juil. 26 12:02:38 samba realmd[17519]:
juil. 26 12:02:38 samba realmd[17519]:  ! Extracting host keytab failed

As you can see, kinit try to use the login "MYDOMAIN\administrator" which is I think is wrong.

After this command end, the client machine is visible in the AD computers list, but the DNS record has not been set.
On the client machine, it look like nothing has been set up (krb5.conf hasn't change, nor smb.conf, nor sssd.conf. And "realm list" output nothing.

I remove the machine on the AD computer list, and re-try with the command:
# realm join MYDOMAIN.LOCAL -U 'administrator'

And this one works perfectly.


Expected results:


Additional info:
Comment 5 Aneta Šteflová Petrová 2017-11-06 09:33:16 UTC 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/