Bug 2149664
| Summary: | adcli testjoin does not detect domain name correctly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ondrej <ondrej.valousek> |
| Component: | adcli | Assignee: | Sumit Bose <sbose> |
| Status: | NEW --- | QA Contact: | sssd-qe |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.1 | CC: | aboscatt, atikhono |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
...but apparently it does support '--domain' parameter. Hence I suggest updating man page here. Hi, thanks for the report and sorry for the delay. When I was reading your description I thought that the reason is obvious and adcli is using the DNS domain name as realm and not the realm found in the keytab. But when I now try to reproduce it, it is working as expected. Can you try to reproduce the issue without using the '--domain' option and send the verbose output with the '-v' option?. In my tests the first message is always ' * Found realm in keytab: MY.REALM.COM' and this realm is used for the following operations. bye, Sumit Hi, see below:
[root@slsrvadm-02v mmanow]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 SLSRVADM-02V$@ADWIN.RENESAS.COM
2 SLSRVADM-02V$@ADWIN.RENESAS.COM
2 SLSRVADM-02V$@ADWIN.RENESAS.COM
2 host/SLSRVADM-02V.COM
2 host/SLSRVADM-02V.COM
2 host/SLSRVADM-02V.COM
2 host/slsrvadm-02v.diasemi.com.COM
2 host/slsrvadm-02v.diasemi.com.COM
2 host/slsrvadm-02v.diasemi.com.COM
2 RestrictedKrbHost/SLSRVADM-02V.COM
2 RestrictedKrbHost/SLSRVADM-02V.COM
2 RestrictedKrbHost/SLSRVADM-02V.COM
2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
3 SLSRVADM-02V$@ADWIN.RENESAS.COM
3 SLSRVADM-02V$@ADWIN.RENESAS.COM
3 SLSRVADM-02V$@ADWIN.RENESAS.COM
3 host/SLSRVADM-02V.COM
3 host/SLSRVADM-02V.COM
3 host/SLSRVADM-02V.COM
3 host/slsrvadm-02v.diasemi.com.COM
3 host/slsrvadm-02v.diasemi.com.COM
3 host/slsrvadm-02v.diasemi.com.COM
3 RestrictedKrbHost/SLSRVADM-02V.COM
3 RestrictedKrbHost/SLSRVADM-02V.COM
3 RestrictedKrbHost/SLSRVADM-02V.COM
3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
[root@slsrvadm-02v mmanow]# kinit -k SLSRVADM-02V$
[root@slsrvadm-02v mmanow]# adcli testjoin -v
* Found realm in keytab: ADWIN.RENESAS.COM
* Found computer name in keytab: SLSRVADM-02V
* Found service principal in keytab: host/SLSRVADM-02V
* Found service principal in keytab: host/slsrvadm-02v.diasemi.com
* Found host qualified name in keytab: slsrvadm-02v.diasemi.com
* Found service principal in keytab: RestrictedKrbHost/SLSRVADM-02V
* Found service principal in keytab: RestrictedKrbHost/slsrvadm-02v.diasemi.com
* Calculated domain name from host fqdn: diasemi.com
* Using computer account name: SLSRVADM-02V
* Using domain realm: diasemi.com
* Discovering domain controllers: _ldap._tcp.diasemi.com
* Sending NetLogon ping to domain controller: casrvdc-03v.diasemi.com
* Received NetLogon info from: CASRVDC-03v.diasemi.com
* Discovering site domain controllers: _ldap._tcp.SLOUGH._sites.dc._msdcs.diasemi.com
* Sending NetLogon ping to domain controller: slsrvdc-01.diasemi.com
* Received NetLogon info from: slsrvdc-01.diasemi.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-WrUuFQ/krb5.d/adcli-krb5-conf-KUt49G
! Couldn't get kerberos ticket for machine account: SLSRVADM-02V: Realm not local to KDC
adcli: couldn't connect to diasemi.com domain: Couldn't get kerberos ticket for machine account: SLSRVADM-02V: Realm not local to KDC
Please check
https://red.ht/support_rhel_ad
to get help for common issues.
|
Description of problem: After successful joining to domain: adcli join ... adwin.renesas.com I receive this Kerberos keytab: [root@slsrvadm-02v ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 slsrvadm-02v2$@ADWIN.RENESAS.COM 2 host/slsrvadm-02v2.COM 2 slsrvadm-02v2$@ADWIN.RENESAS.COM 2 host/slsrvadm-02v2.COM 2 host/slsrvadm-02v.diasemi.com.COM 2 RestrictedKrbHost/slsrvadm-02v2.COM 2 host/slsrvadm-02v.diasemi.com.COM 2 RestrictedKrbHost/slsrvadm-02v2.COM 2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM 2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM ... however 'adcli testjoin' complains about 'diasemi.com' domain which I did not join: [root@slsrvadm-02v ~]# adcli testjoin adcli: couldn't connect to diasemi.com domain: Couldn't get kerberos ticket for machine account: slsrvadm-02v2: Realm not local to KDC Please check https://red.ht/support_rhel_ad to get help for common issues. and as per the man page, I can't supply domain name to adcli testjoin