Bug 1734764
Summary: | Cannot join a pre-staged Computer Account on AD in Custom OU using Delegated user | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | amitkuma |
Component: | adcli | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.4 | CC: | abroy, dlavu, pcech, sbose, sgadekar, sgoveas |
Target Milestone: | rc | ||
Target Release: | 8.2 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | adcli-0.8.2-8.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:57:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 3
amitkuma
2019-10-08 12:25:26 UTC
Any updates here? Upstream: - https://gitlab.freedesktop.org/realmd/adcli/-/commit/beb7abfacc0010987d2cd8ab70f7c373d309eed9 Additionally there is https://bugzilla.redhat.com/show_bug.cgi?id=1852080 to document required permissions in the adcli man page. Tested with ]# rpm -q adcli adcli-0.8.2-8.el8.x86_64 :: [ 03:06:07 ] :: [ PASS ] :: Command 'echo nameserver\ 10.37.152.14 > /etc/resolv.conf' (Expected 0, got 0) :: [ 03:06:07 ] :: [ BEGIN ] :: Running 'echo -n weareawesome2012! | LANG=C adcli preset-computer --verbose --stdin-password --domain-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe --domain=ad.baseos.qe ci-vm-10-0-138-.ad.baseos.qe' * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Calculated domain realm from name: AD.BASEOS.QE * Discovering domain controllers: _ldap._tcp.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-2fidwG/krb5.d/adcli-krb5-conf-HQgTw8 * Authenticated as user: Administrator.QE * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-138- * Using domain realm: ad.baseos.qe * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Using default reset computer password * A computer account for CI-VM-10-0-138-$ does not exist ! Couldn't find a computer container in the ou, creating computer account directly in: OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Calculated computer account: CN=CI-VM-10-0-138-,OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Encryption type [16] not permitted. * Encryption type [23] not permitted. * Encryption type [3] not permitted. * Encryption type [1] not permitted. * Created computer account: CN=CI-VM-10-0-138-,OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Set computer password * Checking RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe * Added RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe * Checking RestrictedKrbHost/CI-VM-10-0-138- * Added RestrictedKrbHost/CI-VM-10-0-138- * Checking host/ci-vm-10-0-138-.ad.baseos.qe * Added host/ci-vm-10-0-138-.ad.baseos.qe * Checking host/CI-VM-10-0-138- * Added host/CI-VM-10-0-138- computer-name: CI-VM-10-0-138- :: [ 03:06:13 ] :: [ PASS ] :: Command 'echo -n weareawesome2012! | LANG=C adcli preset-computer --verbose --stdin-password --domain-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe --domain=ad.baseos.qe ci-vm-10-0-138-.ad.baseos.qe' (Expected 0, got 0) ]# cat new.ldif dn: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe changetype: modify delete:dNSHostName - delete:servicePrincipalName - ]# ldapmodify -x -h sec-ad1.ad.baseos.qe -f ./new.ldif -D 'Administrator.qe' -w 'weareawesome2012!' modifying entry "CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe" [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# ldapsearch -x -h sec-ad1.ad.baseos.qe -D 'Administrator.qe' -b "OU=delegated-ou,dc=ad,dc=baseos,dc=qe" -w "weareawesome2012!" "cn=CI-VM-10-0-138-" >lds [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# cat lds # extended LDIF # # LDAPv3 # base <OU=delegated-ou,dc=ad,dc=baseos,dc=qe> with scope subtree # filter: cn=CI-VM-10-0-138- # requesting: ALL # # CI-VM-10-0-138-, delegated-OU, ad.baseos.qe dn: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: CI-VM-10-0-138- distinguishedName: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe instanceType: 4 whenCreated: 20201203080611.0Z whenChanged: 20201203125608.0Z uSNCreated: 1041257 uSNChanged: 1041314 name: CI-VM-10-0-138- objectGUID:: ORIE/Zj8cUuoCKOgwo+0rA== userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 localPolicyFlags: 0 pwdLastSet: 132514563730510065 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAYSJ+6SWSKv/WObRhGIUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: CI-VM-10-0-138-$ sAMAccountType: 805306369 operatingSystem: redhat-linux-gnu objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=baseos,DC=qe isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z msDS-SupportedEncryptionTypes: 24 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# egrep -ir 'servicePrincipalName' lds [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# egrep -ir 'dNSHostName' lds [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# realm join ad.baseos.qe --verbose --user=amitk1.QE --computer-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Resolving: _ldap._tcp.ad.baseos.qe * Performing LDAP DSE lookup on: 10.37.152.14 * Performing LDAP DSE lookup on: 2620:52:0:2598:216:3eff:fe00:1c1 * Successfully discovered: ad.baseos.qe Password for amitk1.QE: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.37.152.14 --computer-ou OU=delegated-ou,dc=ad,dc=baseos,dc=qe --login-type user --login-user amitk1.QE --stdin-password * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Using domain realm: ad.baseos.qe * Sending NetLogon ping to domain controller: 10.37.152.14 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-OIENGM/krb5.d/adcli-krb5-conf-yYI2I5 * Authenticated as user: amitk1.QE * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-138- * Using domain realm: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for CI-VM-10-0-138-$ at: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe * Sending NetLogon ping to domain controller: 10.37.152.14 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Set computer password * Retrieved kvno '3' for computer account in directory: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe * Modifying computer account: dNSHostName * Discovered which keytab salt to use * Added the entries to the keytab: CI-VM-10-0-138-$@AD.BASEOS.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/CI-VM-10-0-138-.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ci-vm-10-0-138-.ad.baseos.qe.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/CI-VM-10-0-138-.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe.QE: FILE:/etc/krb5.keytab ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Backup stored at /var/lib/authselect/backups/2020-12-03-13-03-33.3QxbdT Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled and active - systemctl enable --now oddjobd.service Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service. * Successfully enrolled machine in realm Marking verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (adcli bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1638 |