Bug 1762420
| Summary: | adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Hemant B Khot <hkhot> | |
| Component: | adcli | Assignee: | Sumit Bose <sbose> | |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.1 | CC: | adam.winberg, aheverle, alexander.heimann, chris.thomas, fedoraproject, gswami, kurathod, pcech, sbose, sgadekar, sgoveas, tc.staff, thalman, thomas.rumbaut, tscherf | |
| Target Milestone: | rc | |||
| Target Release: | 8.0 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | sync-to-jira | |||
| Fixed In Version: | adcli-0.8.2-5.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1786776 (view as bug list) | Environment: | ||
| Last Closed: | 2020-04-28 16:58:21 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1786776 | |||
|
Comment 5
Sumit Bose
2019-12-20 10:25:50 UTC
qa_ack+ Tested with following inputs: Upgraded: adcli-0.8.2-5.el8.x86_64 Complete! [root@ipaqavma ~]# iptables -A OUTPUT -p tcp --destination-port 389 -j DROP --------------------------------------------------- Without --use-ldaps option: --------------------------------------------------- [root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM * Using domain name: sssd2016.com * Calculated computer account name from fqdn: IPAQAVMA * Using domain realm: sssd2016.com * Discovering domain controllers: _ldap._tcp.sssd2016.com * Sending netlogon pings to domain controller: cldap://10.65.207.161 * Sending netlogon pings to domain controller: cldap://10.65.207.18 * Received NetLogon info from: titan.sssd2016.com ! Couldn't connect to host: titan.sssd2016.com: Connection timed out ! Couldn't connect to host: mars.sssd2016.com: Connection timed out adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: mars.sssd2016.com: Connection timed out [root@ipaqavma ~]# man adcli --------------------------------------------------- [root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18 * Using domain name: sssd2016.com * Calculated computer account name from fqdn: IPAQAVMA * Using domain realm: sssd2016.com * Sending netlogon pings to domain controller: cldap://10.65.207.18 * Received NetLogon info from: mars.sssd2016.com ! Couldn't connect to host: 10.65.207.18: Connection timed out adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: 10.65.207.18: Connection timed out --------------------------------------------------- With --use-ldaps option --------------------------------------------------- [root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18 --use-ldaps * Using domain name: sssd2016.com * Calculated computer account name from fqdn: IPAQAVMA * Using domain realm: sssd2016.com * Sending netlogon pings to domain controller: cldap://10.65.207.18 * Received NetLogon info from: mars.sssd2016.com * Using LDAPS to connect to 10.65.207.18 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-UZ6E2i/krb5.d/adcli-krb5-conf-BozhGZ Password for Administrator: * Authenticated as user: Administrator * Using GSSAPI for SASL bind * Looked up short domain name: SSSD2016 * Looked up domain SID: S-1-5-21-3474374533-2609541057-665406313 * Using fully qualified name: ipaqavma.idmqe.lab.eng.bos.redhat.com * Using domain name: sssd2016.com * Using computer account name: IPAQAVMA * Using domain realm: sssd2016.com * Calculated computer account name from fqdn: IPAQAVMA * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for IPAQAVMA$ does not exist * Found well known computer container at: CN=Computers,DC=sssd2016,DC=com * Calculated computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com * Encryption type [16] not permitted. * Encryption type [23] not permitted. * Encryption type [3] not permitted. * Encryption type [1] not permitted. * Created computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com * Sending netlogon pings to domain controller: cldap://10.65.207.18 * Received NetLogon info from: mars.sssd2016.com * Set computer password * Retrieved kvno '2' for computer account in directory: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com * Checking RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com * Added RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com * Checking RestrictedKrbHost/IPAQAVMA * Added RestrictedKrbHost/IPAQAVMA * Checking host/ipaqavma.idmqe.lab.eng.bos.redhat.com * Added host/ipaqavma.idmqe.lab.eng.bos.redhat.com * Checking host/IPAQAVMA * Added host/IPAQAVMA * Discovered which keytab salt to use * Added the entries to the keytab: IPAQAVMA$@SSSD2016.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/IPAQAVMA: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ipaqavma.idmqe.lab.eng.bos.redhat.com: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/IPAQAVMA: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com: FILE:/etc/krb5.keytab [root@ipaqavma ~]# echo $? 0 [root@ipaqavma ~]# Marking verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1874 |