RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1001667 - realmd fails to join if hostname has more than 15 chars
Summary: realmd fails to join if hostname has more than 15 chars
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: rc
: ---
Assignee: Stef Walter
QA Contact: David Spurek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-27 13:40 UTC by Kaushik Banerjee
Modified: 2015-03-02 05:28 UTC (History)
7 users (show)

Fixed In Version: adcli-0.7.4-1.el7, realmd-0.14.6-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 13:30:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
FreeDesktop.org 69016 0 'medium' 'RESOLVED' 'adcli and realmd need to handle long hostnames' 2019-12-04 08:07:51 UTC

Description Kaushik Banerjee 2013-08-27 13:40:26 UTC
Description of problem:
realmd fails to join if hostname has more than 15 chars

Version-Release number of selected component (if applicable):
realmd-0.14.5-1.el7

How reproducible:
Always

Steps to Reproduce:
1. Hostname is more than 15 chars.
2. Try to join to AD using realmd


Actual results:
realmd fails to join to AD Server.

# realm join -v -U Administrator --user-principal=host/kautest-sssdclient-vm100.example.com sssdad2012.com * Resolving: _ldap._tcp.sssdad2012.com
 * Performing LDAP DSE lookup on: 192.168.100.10
 * Successfully discovered: sssdad2012.com
Password for Administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.5O271W -U Administrator ads join sssdad2012.com createupn=host/kautest-sssdclient-vm100.example.com
Invalid configuration.  Exiting....
Our netbios name can be at most 15 chars long, "KAUTEST-SSSDCLIENT-VM100" is 24 chars long
Failed to join domain: The format of the specified computer name is invalid.
 ! Joining the domain sssdad2012.com failed
realm: Couldn't join realm: Joining the domain sssdad2012.com failed


Expected results:
Similar to "net" tool, wherein we can workaround this by using "netbios name = <Upto 15 char name>" in smb.conf, we would need a similar option to pass the netbios name to realmd tool.

Comment 3 Stef Walter 2013-09-06 07:26:39 UTC
Doing research on this because it's not as simple as one might imagine. The name Netbios of a machine is used as a kerberos computer account name in AD.

Comment 4 Stef Walter 2013-09-06 07:27:38 UTC
An example computer account on a Windows client:

Full name: this-is-a-long-computer-name-more-than-15
Automatically truncated name: THIS-IS-A-LONG-

# THIS-IS-A-LONG-, Computers, borg.thewalter.lan
dn: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: THIS-IS-A-LONG-
distinguishedName: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
instanceType: 4
whenCreated: 20130906072132.0Z
whenChanged: 20130906072222.0Z
uSNCreated: 184419
uSNChanged: 184432
name: THIS-IS-A-LONG-
objectGUID:: 80gHyB9OmkSoxfX0nFPRgA==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130229257508468000
localPolicyFlags: 0
pwdLastSet: 130229256927680000
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA9/w0hJ1SMagNN9rNmQQAAA==
accountExpires: 9223372036854775807
logonCount: 6
sAMAccountName: THIS-IS-A-LONG-$
sAMAccountType: 805306369
operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1
dNSHostName: this-is-a-long-computer-name-more-than-15.borg.thewalter.lan
servicePrincipalName: RestrictedKrbHost/this-is-a-long-computer-name-more-than
 -15.borg.thewalter.lan
servicePrincipalName: HOST/this-is-a-long-computer-name-more-than-15.borg.thew
 alter.lan
servicePrincipalName: RestrictedKrbHost/THIS-IS-A-LONG-
servicePrincipalName: HOST/THIS-IS-A-LONG-
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=borg,DC=thewalter,DC
 =lan
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130229256933764000
msDS-SupportedEncryptionTypes: 28

Comment 6 Stef Walter 2013-09-06 08:02:37 UTC
If a second windows client joins with the same first 15 characters, the computer account overwrites the first. This is the same behavior of joining a second computer with an identical name.

In the future we will have user interfaces that help administrators choose an appropriate non-conflicting name when joining a domain. However for the time being I believe we should just mimic the Windows behavior. 

Account after second windows client has been joined (first no longer present):

# THIS-IS-A-LONG-, Computers, borg.thewalter.lan
dn: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: THIS-IS-A-LONG-
distinguishedName: CN=THIS-IS-A-LONG-,CN=Computers,DC=borg,DC=thewalter,DC=lan
instanceType: 4
whenCreated: 20130906072132.0Z
whenChanged: 20130906080011.0Z
uSNCreated: 184419
uSNChanged: 184457
name: THIS-IS-A-LONG-
objectGUID:: 80gHyB9OmkSoxfX0nFPRgA==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130229280105224000
localPolicyFlags: 0
pwdLastSet: 130229280053276000
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA9/w0hJ1SMagNN9rNmQQAAA==
accountExpires: 9223372036854775807
logonCount: 8
sAMAccountName: THIS-IS-A-LONG-$
sAMAccountType: 805306369
operatingSystem: Windows Server 2008 R2 Standard
operatingSystemVersion: 6.1 (7601)
operatingSystemServicePack: Service Pack 1
dNSHostName: this-is-a-long-computer-name-conflict.borg.thewalter.lan
servicePrincipalName: RestrictedKrbHost/this-is-a-long-computer-name-conflict.
 borg.thewalter.lan
servicePrincipalName: HOST/this-is-a-long-computer-name-conflict.borg.thewalte
 r.lan
servicePrincipalName: RestrictedKrbHost/THIS-IS-A-LONG-
servicePrincipalName: HOST/THIS-IS-A-LONG-
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=borg,DC=thewalter,DC
 =lan
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130229256933764000
msDS-SupportedEncryptionTypes: 28

Comment 7 Stef Walter 2013-09-06 08:10:10 UTC
Jakub, if we do a domain join with a truncated hostname (see above) then I guess we'd need to explicitly tell sssd.conf about that truncation, right?

Comment 8 Jakub Hrozek 2013-09-06 09:31:45 UTC
(In reply to Stef Walter from comment #7)
> Jakub, if we do a domain join with a truncated hostname (see above) then I
> guess we'd need to explicitly tell sssd.conf about that truncation, right?

Seems that the DNS name reflects the real long name, while the sAMAccoutName is truncated.

I don't see other way rather than setting ldap_sasl_authid to sAMAccoutName. In the example above, that would be:
ldap_sasl_authid = THIS-IS-A-LONG-$

That way, the Kerberos auth will keep working as it'll select the right principal from the keytab, while stuff like DNS dynamic updates can keep using the long host name.

Comment 9 Stef Walter 2013-09-06 12:33:45 UTC
Patches for adcli and realmd upstream.

Comment 10 Patrik Kis 2013-09-06 14:22:42 UTC
Stef,
can you please describe how this issue will be fixed in order to be able to verify it? Does it introduce a new parameter to realm/adcli? Thank you.

Comment 11 Stef Walter 2013-09-06 14:33:28 UTC
Use of Active Directory with computer host names longer than 15 characters is not best practice in production.

But in general we use the same algorithm as Windows clients when calculating netbios host names. We take the first dotted portion of the FQDN, convert to upper case, and truncate to 15 characters.

Fix for adcli:

 * When calculating a netbios computer account name from FQDN, truncate to first
   15 characters. The truncated computer account name will be visible using
   --show-details join argument.
 * Above will not happen if a long --computer-name was explicitly specified. In
   that the join will just fail with the AD error code.

Fix for realmd:

 * During discovery determine whether we need to explicitly control our netbios
   name. If truncation must occur, make note of this.
 * If explicit control of netbios name is active:
   * During samba join, set 'netbios name' during join.
   * When configuring winbind, set 'netbios name' in smb.conf
   * When configuring sssd set 'ldap_sasl_authid' in sssd.conf to netbios
     name with a dollar sign after it, to tell sssd about the computer account
     name that doesn't match the host name.

In the future more work will be done wrt to helping administrators choose appropriate and non-conflicting host names. But above should fix the issue for now, and is equivalent to Windows behavior.

Comment 12 Stef Walter 2013-09-06 14:40:26 UTC
Deon, this may be interested for documentation:

 * The domain accounts of computers that have identical host names will
   overwrite each other when joining the domain.
   * Since domain administrative credentials are required in these cases, it is
     assumed that the administrator is aware of this and the action is 
     intentional (ie: such as to replace a previous computer account with
     the same name).
 * The above is *also* true when the first 15 characters of the name are
   identical between two host names.

This is the same behavior as Windows Server domain members.

Future work will refine behavior in this area, but such work will not occur within the RHEL 7.0 time frame.

Comment 15 Ludek Smid 2014-06-13 13:30:10 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.