Bug 1727144
| Summary: | adcli join fails with new krb5-libs; adcli needs to backport patches to only use permitted enctypes from upstream | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alessio <alciregi> |
| Component: | adcli | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | awilliam, jhrozek, jmmahler, jss, robatino, sbose, sgallagh, stefw |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-05 18:07:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1644937 | ||
|
Description
Alessio
2019-07-04 16:05:36 UTC
This seems to be a violation of Basic criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain." - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication Sumit, who maintains realmd is on an extended vacation, so I'll try to keep this moving forward at least today, then I'm off for pretty much two weeks.. $ rpm -q adcli realmd krb5-libs adcli-0.8.2-3.fc30.x86_64 realmd-0.16.3-19.fc30.x86_64 krb5-libs-1.17-14.fc30.x86_64 Everything works: $ sudo realm leave win.trust.test $ sudo realm join win.trust.test Password for Administrator: $ id administrator.test uid=1974600500(administrator.test) gid=1974600513(domain users.test) groups=1974600513(domain users.test),1974600572(denied rodc password replication group.test),1974600518(schema admins.test),1974600519(enterprise admins.test),1974600520(group policy creator owners.test),1974600512(domain admins.test) And then upgrading only krb5-libs breaks things: $ dnf --nogpgcheck --releasever=rawhide upgrade krb5-libs $ sudo realm join win.trust.test Password for Administrator: See: journalctl REALMD_OPERATION=r289.3373 realm: Couldn't join realm: Failed to join the domain In the journald snippet I see: Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: adcli: 'code == 0' not true at _adcli_krb5_keytab_test_salt Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: ! Couldn't authenticate with keytab while discovering which salt to use: ADCLIENT$@WIN.TRUST.TEST: Bad encryption type Jul 05 10:22:20 adclient.win.trust.test realmd[3330]: ! Couldn't add keytab entries: FILE:/etc/krb5.keytab: Bad encryption type So I'm going to assume that this has to do with the 3DES removal that I see in the changelog of the recent krb5-libs versions. I'm really not familiar with adcli code, but there an array of permitted enctypes that also lists several DES variants, so I'm just going to try a hail mary patch and remove the des pieces..I'm not sure if I can do more considering my vacation starts in 6.5 hours.. Ah, it tur (Sorry, I started a comment earlier, then reassigned the bug to adcli which submitted the WIP comment..) Ah, it turns out that Sumit was, as usual, ahead of everyone else :-) and the needed fixes were already upstream, so all it took was to backport them to the fedora packages. Here is a PR: https://src.fedoraproject.org/rpms/adcli/pull-request/1 Here is a test build: https://copr.fedorainfracloud.org/coprs/jhrozek/adcli-krb5-enctypes/ If that works, I hope some provenpackager can build the package. > Here is a test build:
> https://copr.fedorainfracloud.org/coprs/jhrozek/adcli-krb5-enctypes/
Installing this package, it works.
$ sudo realm join TEST.LAN
Password for Administrator:
$ sudo realm list
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
Thanks!
Did someone light the provenpackager lantern?! https://koji.fedoraproject.org/koji/taskinfo?taskID=36061859 Why am i now seeing this problem on EL8 # rpm -q adcli realmd krb5-libs adcli-0.8.2-7.el8.x86_64 realmd-0.16.3-19.el8.x86_64 krb5-libs-1.18.2-5.el8.x86_64 I got this when joining the realm: ! Couldn't authenticate with keytab while discovering which salt to use: but then messages about adding keys to keytab, so i as hoping the new keys would resolve that issue And the join to domain seemed to work. But after joining domain, sssd is not working: 2021-04-08 15:53:00): [be[blah.com]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Pre-authentication failed: Key table entry not found], expired on [0] Apr 08 16:02:11 blah.com ldap_child[23330][23330]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Pre-authentication failed: Key table entry not found. Unable to create GSSAPI-encrypted LDAP connection. Sick of this. And I'm seeing this on recently patched EL8.3, after having run: update-crypto-policies --set LEGACY Hmm. my krb5.conf had this, as this was required in the past: default_tgs_enctypes=arcfour-hmac default_tkt_enctypes=arcfour-hmac But over last 3 years, various old domain controllers have been removed, and looks like no longer needed. Removing those lines, and sssd is happy again now. |