Bug 1690920
| Summary: | [RFE] add option to populate "managed by" computer attribute | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ondrej <ondrej.valousek> |
| Component: | adcli | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | afarley, atikhono, dlavu, pcech, pkettman, pvoborni, sbose, sgadekar, thalman |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | 8.3 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | adcli-0.8.2-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:50:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ondrej
2019-03-20 13:23:43 UTC
Moving to RHEL-8, since RFEs are not allowed for RHEL-7 anymore. BTW - any plans for "managed by" attribute in the IPA domain? Tested with: Installed products updated. Upgraded: adcli-0.8.2-12.el8.x86_64 [root@ci-vm-10-0-137- tmp.agRhcHLkkj]# adcli update -C --verbose --domain='ad.baseos.qe' --setattr=managedBy=CN=Amy-admin,OU=TestOU,DC=ad,Dc=baseos,DC=qe * Found realm in keytab: AD.BASEOS.QE * Found computer name in keytab: CI-VM-10-0-137- * Found service principal in keytab: host/CI-VM-10-0-137- * Found service principal in keytab: host/ci-vm-10-0-137-.ad.baseos.qe * Found host qualified name in keytab: ci-vm-10-0-137-.ad.baseos.qe * Found service principal in keytab: RestrictedKrbHost/CI-VM-10-0-137- * Found service principal in keytab: RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-137- * Using domain realm: ad.baseos.qe * Discovering domain controllers: _ldap._tcp.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-b8A44h/krb5.d/adcli-krb5-conf-mKqs2i * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-137-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-137- * Using domain realm: ad.baseos.qe * Using fully qualified name: ci-vm-10-0-137-.ad.baseos.qe * Enrolling computer name: CI-VM-10-0-137- * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for CI-VM-10-0-137-$ at: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe * Retrieved kvno '2' for computer account in directory: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe * Password not too old, no change needed * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Modifying computer account: managedBy * Checking RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe * Added RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe * Checking RestrictedKrbHost/CI-VM-10-0-137- * Added RestrictedKrbHost/CI-VM-10-0-137- * Checking host/ci-vm-10-0-137-.ad.baseos.qe * Added host/ci-vm-10-0-137-.ad.baseos.qe * Checking host/CI-VM-10-0-137- * Added host/CI-VM-10-0-137- [root@ci-vm-10-0-137- tmp.agRhcHLkkj]# ldapsearch -x -h sec-ad1.ad.baseos.qe -D 'cn=Administrator,cn=users,dc=ad,dc=baseos,dc=qe' -w weareawesome2012! -b 'cn=computers,dc=ad,dc=baseos,dc=qe' 'cn=ci-vm-10-0-137-' # extended LDIF # # LDAPv3 # base <cn=computers,dc=ad,dc=baseos,dc=qe> with scope subtree # filter: cn=ci-vm-10-0-137- # requesting: ALL # # CI-VM-10-0-137-, Computers, ad.baseos.qe dn: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: CI-VM-10-0-137- description: modified shridhar with updatesdf distinguishedName: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe instanceType: 4 whenCreated: 20210621084333.0Z whenChanged: 20210621085143.0Z uSNCreated: 1464968 uSNChanged: 1464980 name: CI-VM-10-0-137- objectGUID:: 7/h9uFBIH0qBKK8FIQLD0A== userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 132687386156898014 lastLogoff: 0 lastLogon: 132687386165335504 localPolicyFlags: 0 pwdLastSet: 132687386149866800 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAYSJ+6SWSKv/WObRh/ckAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: CI-VM-10-0-137-$ sAMAccountType: 805306369 operatingSystem: redhat-linux-gnu dNSHostName: ci-vm-10-0-137-.ad.baseos.qe managedBy: CN=Amy-admin,OU=TestOU,DC=ad,DC=baseos,DC=qe servicePrincipalName: RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe servicePrincipalName: RestrictedKrbHost/CI-VM-10-0-137- servicePrincipalName: host/ci-vm-10-0-137-.ad.baseos.qe servicePrincipalName: host/CI-VM-10-0-137- objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=baseos,DC=qe isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 132687386161897979 msDS-SupportedEncryptionTypes: 24 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ci-vm-10-0-137- tmp.agRhcHLkkj]# adcli delete-computer -C --verbose --domain='ad.baseos.qe' * Found realm in keytab: AD.BASEOS.QE * Found computer name in keytab: CI-VM-10-0-137- * Found service principal in keytab: host/CI-VM-10-0-137- * Found service principal in keytab: host/ci-vm-10-0-137-.ad.baseos.qe * Found host qualified name in keytab: ci-vm-10-0-137-.ad.baseos.qe * Found service principal in keytab: RestrictedKrbHost/CI-VM-10-0-137- * Found service principal in keytab: RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-137- * Using domain realm: ad.baseos.qe * Discovering domain controllers: _ldap._tcp.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-rm6mFG/krb5.d/adcli-krb5-conf-ONw30G * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-137-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-137- * Using domain realm: ad.baseos.qe * Using fully qualified name: ci-vm-10-0-137-.ad.baseos.qe * Enrolling computer name: CI-VM-10-0-137- * Found computer account for CI-VM-10-0-137-$ at: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe * Deleted computer account at: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe [root@ci-vm-10-0-137- tmp.agRhcHLkkj]# adcli join --verbose --description='description added at joining by shridhar' --setattr=managedBy=CN=Administrator,CN=Users,DC=ad,DC=baseos,DC=qe -U Amy-admin -S ad.baseos.qe * Sending NetLogon ping to domain controller: ad.baseos.qe * Sending NetLogon ping to domain controller: ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Discovered domain name: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-137- * Calculated domain realm from name: AD.BASEOS.QE * Wrote out krb5.conf snippet to /tmp/adcli-krb5-l9LRuQ/krb5.d/adcli-krb5-conf-0BVRXO Password for Amy-admin.QE: * Authenticated as user: Amy-admin.QE * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-137-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-137- * Using domain realm: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-137- * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * A computer account for CI-VM-10-0-137-$ does not exist * Found well known computer container at: CN=Computers,DC=ad,DC=baseos,DC=qe * Calculated computer account: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe * Encryption type [16] not permitted. * Encryption type [23] not permitted. * Encryption type [3] not permitted. * Encryption type [1] not permitted. * Created computer account: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe * Sending NetLogon ping to domain controller: ad.baseos.qe * Sending NetLogon ping to domain controller: ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Set computer password * Retrieved kvno '2' for computer account in directory: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe * Modifying computer account: managedBy * Checking RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe * Added RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe * Checking RestrictedKrbHost/CI-VM-10-0-137- * Added RestrictedKrbHost/CI-VM-10-0-137- * Checking host/ci-vm-10-0-137-.ad.baseos.qe * Added host/ci-vm-10-0-137-.ad.baseos.qe * Checking host/CI-VM-10-0-137- * Added host/CI-VM-10-0-137- * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Discovered which keytab salt to use * Added the entries to the keytab: CI-VM-10-0-137-$@AD.BASEOS.QE: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/CI-VM-10-0-137-.QE: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ci-vm-10-0-137-.ad.baseos.qe.QE: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/CI-VM-10-0-137-.QE: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe.QE: FILE:/etc/krb5.keytab [root@ci-vm-10-0-137- tmp.agRhcHLkkj]# ldapsearch -x -h sec-ad1.ad.baseos.qe -D 'cn=Administrator,cn=users,dc=ad,dc=baseos,dc=qe' -w weareawesome2012! -b 'cn=computers,dc=ad,dc=baseos,dc=qe' 'cn=ci-vm-10-0-137-' # extended LDIF # # LDAPv3 # base <cn=computers,dc=ad,dc=baseos,dc=qe> with scope subtree # filter: cn=ci-vm-10-0-137- # requesting: ALL # # CI-VM-10-0-137-, Computers, ad.baseos.qe dn: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: CI-VM-10-0-137- description: description added at joining by shridhar distinguishedName: CN=CI-VM-10-0-137-,CN=Computers,DC=ad,DC=baseos,DC=qe instanceType: 4 whenCreated: 20210621085626.0Z whenChanged: 20210621085629.0Z uSNCreated: 1464986 uSNChanged: 1464992 name: CI-VM-10-0-137- objectGUID:: 60o43YKSdkmb/baIFzg5Nw== userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 132687393887366280 lastLogoff: 0 lastLogon: 132687393895647869 localPolicyFlags: 0 pwdLastSet: 132687393879553509 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAYSJ+6SWSKv/WObRh/skAAA== accountExpires: 9223372036854775807 logonCount: 2 sAMAccountName: CI-VM-10-0-137-$ sAMAccountType: 805306369 operatingSystem: redhat-linux-gnu dNSHostName: ci-vm-10-0-137-.ad.baseos.qe managedBy: CN=Administrator,CN=Users,DC=ad,DC=baseos,DC=qe servicePrincipalName: RestrictedKrbHost/ci-vm-10-0-137-.ad.baseos.qe servicePrincipalName: RestrictedKrbHost/CI-VM-10-0-137- servicePrincipalName: host/ci-vm-10-0-137-.ad.baseos.qe servicePrincipalName: host/CI-VM-10-0-137- objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=baseos,DC=qe isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 132687393892210351 msDS-SupportedEncryptionTypes: 24 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 marking verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (adcli bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4453 |