Bug 1762420

Summary: adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd
Product: Red Hat Enterprise Linux 8 Reporter: Hemant B Khot <hkhot>
Component: adcliAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: adam.winberg, aheverle, alexander.heimann, chris.thomas, fedoraproject, gswami, kurathod, pcech, sbose, sgadekar, sgoveas, tc.staff, thalman, thomas.rumbaut, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: adcli-0.8.2-5.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1786776 (view as bug list) Environment:
Last Closed: 2020-04-28 16:58:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1786776    

Comment 6 shridhar 2019-12-20 11:33:36 UTC
qa_ack+

Comment 8 shridhar 2020-02-17 11:02:36 UTC
Tested with following inputs:

Upgraded:
  adcli-0.8.2-5.el8.x86_64                                                                                            

Complete!

[root@ipaqavma ~]# iptables -A OUTPUT -p tcp  --destination-port 389 -j DROP

---------------------------------------------------
Without --use-ldaps option:
---------------------------------------------------
[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Discovering domain controllers: _ldap._tcp.sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.161
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: titan.sssd2016.com
 ! Couldn't connect to host: titan.sssd2016.com: Connection timed out
 ! Couldn't connect to host: mars.sssd2016.com: Connection timed out
adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: mars.sssd2016.com: Connection timed out
[root@ipaqavma ~]# man adcli
---------------------------------------------------
[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 ! Couldn't connect to host: 10.65.207.18: Connection timed out
adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: 10.65.207.18: Connection timed out

---------------------------------------------------
With --use-ldaps option
---------------------------------------------------

[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18 --use-ldaps
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 * Using LDAPS to connect to 10.65.207.18
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-UZ6E2i/krb5.d/adcli-krb5-conf-BozhGZ
Password for Administrator@SSSD2016.COM: 
 * Authenticated as user: Administrator@SSSD2016.COM
 * Using GSSAPI for SASL bind
 * Looked up short domain name: SSSD2016
 * Looked up domain SID: S-1-5-21-3474374533-2609541057-665406313
 * Using fully qualified name: ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Using domain name: sssd2016.com
 * Using computer account name: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for IPAQAVMA$ does not exist
 * Found well known computer container at: CN=Computers,DC=sssd2016,DC=com
 * Calculated computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Checking RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com
 *    Added RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Checking RestrictedKrbHost/IPAQAVMA
 *    Added RestrictedKrbHost/IPAQAVMA
 * Checking host/ipaqavma.idmqe.lab.eng.bos.redhat.com
 *    Added host/ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Checking host/IPAQAVMA
 *    Added host/IPAQAVMA
 * Discovered which keytab salt to use
 * Added the entries to the keytab: IPAQAVMA$@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/IPAQAVMA@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ipaqavma.idmqe.lab.eng.bos.redhat.com@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/IPAQAVMA@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com@SSSD2016.COM: FILE:/etc/krb5.keytab
[root@ipaqavma ~]# echo $?
0
[root@ipaqavma ~]# 

Marking verified

Comment 10 errata-xmlrpc 2020-04-28 16:58:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1874