RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1030517 - RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 characters
Summary: RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 char...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-14 15:45 UTC by Scott Poore
Modified: 2014-09-18 12:35 UTC (History)
5 users (show)

Fixed In Version: ipa-3.3.3-14.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 12:00:20 UTC
Target Upstream Version:
Embargoed:
abokovoy: needinfo+

Attachments (Terms of Use)
tcpdump capture during getent/ssh for AD2\Administrator (61.42 KB, application/octet-stream)
2014-01-07 15:40 UTC, Scott Poore 		no flags Details
View All

Description Scott Poore 2013-11-14 15:45:00 UTC 
Description of problem:

IPA servers with a long hostnames (greater than 15 characters) have problems communicating with AD in a trust.  NetBIOS server names are limited to 15 characters.  If an IPA server has a name longer than that, ipa-adtrust-install still configures that as the NetBIOS name.  IPA is seemingly able to configure the trust but, afterwards, sssd appears to have problems communicating with AD to do lookups.

On a test box with a trust configured, I can't see any AD users with getent or id.  

[root@ibm-x3650m4-01-vm-04 sssd]# getent passwd 'ADLABS\Administrator'
[root@ibm-x3650m4-01-vm-04 sssd]#

From /var/log/messages I saw this:

 Nov 13 16:41:28 ibm-x3650m4-01-vm-04 sssd_be: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC policy rejects request)

As you can see, the hostname is 20 characters long.  I saw the same behavior on another server with a 20 char name.

This behavior was found and confirmed by Dev.  It was suggested that ipa-adtrust-install should refuse to setup Samba on hosts with name longer than 15 characters.

Version-Release number of selected component (if applicable):
ipa-server-3.3.3-4.el7.x86_64

How reproducible:
always


Steps to Reproduce:
1.  ipa-server-install
2.  ipa-adtrust-install
3.  ipa trust-add
4.  getent passwd 'ADDOMAIN\Administrator'

Actual results:
getent does not find AD user and log shows GSSAPI KDC policy reject error.

Expected results:
ipa-adtrust-install should have failed stating that it cannot configure a trust while the server name is longer than 15 characters.


Additional info:
Comment 2 Martin Kosek 2013-11-14 17:18:33 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4028
Comment 4 Martin Kosek 2013-12-11 12:32:21 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/71481a0aa497a579ded42500b5b8f8c6807c825d
ipa-3-3: https://fedorahosted.org/freeipa/changeset/313f2e76355b4da4db7448b0b0cedc825d39db9f
Comment 6 Scott Poore 2014-01-07 02:53:04 UTC 
With this fix to cut down the netbios name of the host, how can I confirm the name has been shortened?

I installed ipa-server-3.3.3-8.el7.x86_64 but, I still do not see user name lookup work:

[root@long-host-name12345678 sssd]# getent passwd 'AD2\Administrator'
[root@long-host-name12345678 sssd]#

And when I check the logs:

[root@long-host-name12345678 sssd]# grep -i GSSAPI * | grep -i KDC
sssd_testrelm.com.log:(Mon Jan  6 20:49:21 2014) [sssd[be[testrelm.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC policy rejects request)]

So, how can I confirm that the netbios name was truncated as expected?
Comment 8 Martin Kosek 2014-01-07 08:23:55 UTC 
Alexander or Tomas, please advise.
Comment 9 Sumit Bose 2014-01-07 08:46:50 UTC 
Scott, I think the easiest way is to capture the network packets and look at the CLDAP response with wireshark.
Comment 10 Alexander Bokovoy 2014-01-07 11:40:11 UTC 
Yes, I think using network capture is best here.
Comment 11 Scott Poore 2014-01-07 15:39:16 UTC 
Ok, I did a tcpdump capture during getent and ssh to see if I could get that.  I will attach that but, I don't see the hostname truncated anywhere in that capture.

I do see this though (from the ssh I think):

290 2014-01-07 09:04:15.802193 192.168.122.77 -> 192.168.122.21 SMB NT Create AndX Request, Path: \netlogon
291 2014-01-07 09:04:15.802963 192.168.122.21 -> 192.168.122.77 SMB NT Create AndX Response, FID: 0x4002
292 2014-01-07 09:04:15.803004 192.168.122.77 -> 192.168.122.21 TCP 44517 > microsoft-ds [ACK] Seq=1539 Ack=1794 Win=21120 Len=0 TSV=48528686 TSER=8484834
293 2014-01-07 09:04:15.804044 192.168.122.77 -> 192.168.122.21 DCERPC Bind: call_id: 6 RPC_NETLOGON V1.0
294 2014-01-07 09:04:15.804693 192.168.122.21 -> 192.168.122.77 DCERPC Bind_ack: call_id: 6 accept max_xmit: 4280 max_recv: 4280
295 2014-01-07 09:04:15.814741 192.168.122.77 -> 192.168.122.21 RPC_NETLOGON NetrServerReqChallenge request, LONG-HOST-NAME12345678
296 2014-01-07 09:04:15.815388 192.168.122.21 -> 192.168.122.77 RPC_NETLOGON NetrServerReqChallenge response
297 2014-01-07 09:04:15.818605 192.168.122.77 -> 192.168.122.21 RPC_NETLOGON NetrServerAuthenticate2 request, TESTRELM$
298 2014-01-07 09:04:15.820482 192.168.122.21 -> 192.168.122.77 RPC_NETLOGON NetrServerAuthenticate2 response, STATUS_BUFFER_OVERFLOW
299 2014-01-07 09:04:15.822215 192.168.122.77 -> 192.168.122.21 SMB Close Request, FID: 0x4002
300 2014-01-07 09:04:15.822963 192.168.122.21 -> 192.168.122.77 SMB Close Response, FID: 0x4002

Is the above just confirmation of the problem?
Comment 12 Scott Poore 2014-01-07 15:40:33 UTC 
Created attachment 846738 [details]
tcpdump capture during getent/ssh for AD2\Administrator
Comment 13 Scott Poore 2014-01-12 23:52:14 UTC 
Ok, I checked a couple times and got the same results.  I'm moving this back to ASSIGNED so it can go through proper updates to get the fixed version.  

FYI:

[root@rhel7-8 ~]# ipa trust-add ad2.example.test --admin Administrator --range-type=ipa-ad-trust --password
Active directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ad2.example.test"
---------------------------------------------------------
  Realm name: ad2.example.test
  Domain NetBIOS name: AD2
  Domain Security Identifier: S-1-5-21-1515602834-2930230041-3336973146
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-8 ~]# getent passwd 'AD2\Administrator'

[root@rhel7-8 ~]# grep GSS.*KDC /var/log/messages 
Jan 12 17:46:22 rhel7-8 sssd_be: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC policy rejects request)

[root@rhel7-8 ~]# date
Sun Jan 12 17:46:31 CST 2014

[root@rhel7-8 ~]# rpm -q ipa-server
ipa-server-3.3.3-11.el7.x86_64
Comment 14 Alexander Bokovoy 2014-01-13 07:44:36 UTC 
I'll look at it.
Comment 15 Sumit Bose 2014-01-13 08:31:23 UTC 
I already have a fix for this which was successfully tested by Scott.
Comment 16 Martin Kosek 2014-01-15 15:27:30 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/487a8f4749bfff9206564abe43e73c0a8362d05b
ipa-3-3: https://fedorahosted.org/freeipa/changeset/0292b1726b7d73e60c1bca0612d67fecb0c2347d
Comment 18 Scott Poore 2014-01-15 21:48:34 UTC 
Verified.

Version ::

ipa-server-3.3.3-12.el7.x86_64

Test Results ::

Manually ran the following to setup env:

echo "192.168.122.77 long-host-name12345678.ipa4.example.test long-host-name12345678" >> /etc/hosts
echo "long-host-name12345678.ipa4.example.test" > /etc/hostname

service firewall stop
iptables -F

yum -y update

ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=$(hostname) \
    -r IPA4.EXAMPLE.TEST -n ipa4.example.test -p Secret123 -P Secret123 -a Secret123 -U

ipa-adtrust-install --netbios-name=IPA4 -a Secret123 -U

# Add dns forwarder on AD server

ipa dnszone-add ad2.example.test --name-server=w2k8r2-1.ad2.example.test. \
    --admin-email="hostmaster.test" --force --forwarder=192.168.122.21 \
    --forward-policy=only --ip-address=192.168.122.21

ipa trust-add ad2.example.test --admin Administrator --range-type=ipa-ad-trust --password

Then manually ran automated test:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_1030517:  RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 characters
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:43:12 ] ::  Hostname longer than 15 chars, checking for bug
administrator.test:*:551800500:551800500:Administrator:/:
:: [   PASS   ] :: Running 'getent passwd 'AD2\Administrator'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/messages' should not contain 'GSSAPI.*KDC.*reject' 
:: [   PASS   ] :: BZ1030517 not found
Comment 19 Martin Kosek 2014-01-17 16:03:29 UTC 
Sumit found out we do not set NetBIOS name to samba configuration. If IPA server would have a hostname longer than 15 characters, it would lead to invalid NetBIOS hostname:

https://fedorahosted.org/freeipa/ticket/4116

Moving back to ASSIGNED.
Comment 20 Scott Poore 2014-01-17 16:52:01 UTC 
Wasn't that what ipa-3.3.3-12.el7 fixed?  Or something else missed?
Comment 21 Martin Kosek 2014-01-20 07:56:35 UTC 
Previous patches fixed the CLDAP responder. However, Sumit found that the actual IPA server Samba part may still have the NetBIOS name wrong so we decide to rather force the proper name to it's configuration. We decided to attach the fix to this Bugzilla.

Sumit will know better what would the wrong samba NetBIOS hostname cause, if you want to know more.
Comment 22 Sumit Bose 2014-01-20 08:05:10 UTC 
Scott, I think messages related to a too small buffer you were seeing in the network traces were caused by samba using a too long NetBIOS hostname.
Comment 23 Martin Kosek 2014-01-20 09:36:39 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/531ede2904608a2bfe24d09c94dc0b87d780f30a
ipa-3-3: https://fedorahosted.org/freeipa/changeset/4679a3b8d3c093ea2ba3b32cafca9b42d47fce15
Comment 24 Martin Kosek 2014-01-20 09:38:42 UTC 
To verify the change manually, run:

# net conf list | grep "netbios name"

Note that the change does not apply on upgrade, but only after new installation (or ipa-adtrust-install) run.
Comment 25 Scott Poore 2014-01-20 14:49:21 UTC 
Ok, I'll re-verify with this info too once it's ON_QA.

Thanks for the info.
Comment 27 Scott Poore 2014-01-22 17:25:14 UTC 
Should the netbios name here be stripping hyphens?

[root@long-host-name12345678 ~]# net conf list | grep "netbios name"
	netbios name = LONGHOSTNAME123

[root@long-host-name12345678 ~]# hostname
long-host-name12345678.ipa9.example.test

I thought the cldap entry we saw during some debugging had the hyphens?

Thanks
Comment 28 Sumit Bose 2014-01-22 20:03:03 UTC 
Good catch, While the CLDAP plugin just cuts the name after 15 characters, ipa-adtrust-install tries to be smarter and checks the name for invalid characters as well. While doing this it is a bit too strict, it only allows upper-case letters and digits while a hyphen and a full-stop are allowed, but not as first or last character.

While there are different ways to solve the disconnect I think the safest would be to let the CLDAP plugin use the same scheme as ipa-adtrust-install to create a valid NetBIOS name. Alexander, do you agree?
Comment 29 Alexander Bokovoy 2014-01-22 20:12:44 UTC 
I agree. (I had the same comment pending in a separate browser tab for couple hours) ;)
Comment 30 Scott Poore 2014-01-22 22:55:14 UTC 
Ok, so, if the CLDAP plugin is changed, is there a way to see the name it's using other than a network trace?
Comment 31 Martin Kosek 2014-01-23 09:04:19 UTC 
Alexander or Sumit, is the fix required to land in RHEL-7.0? If yes, please reopen https://fedorahosted.org/freeipa/ticket/4116

If not, please file a new enhancement ticket.
Comment 32 Sumit Bose 2014-01-23 09:40:43 UTC 
Reopened https://fedorahosted.org/freeipa/ticket/4116 and assigned to me.
Comment 33 Sumit Bose 2014-01-23 14:30:16 UTC 
(In reply to Scott Poore from comment #30)
> Ok, so, if the CLDAP plugin is changed, is there a way to see the name it's
> using other than a network trace?

You can run ldapsearch to get the binary CLDAP response

# ldapsearch -H cldap://ipa18-devel.ipa18.devel -b '' -s base '(&(DnsDomain=ipa18.devel)(NtVer=\06\00\00\00)(AAC=\00\00\00\00))' netlogon -LLL -t
dn:
netlogon:< file:///tmp/ldapsearch-netlogon-oSP7u0

I didn't found a tool which can decode the binary data properly, but looking at the hexdump will show the name:

]# od -c /tmp/ldapsearch-netlogon-oSP7u0 
0000000 027  \0  \0  \0 375 003  \0  \0   M 351  \r 374   S 003   :   J
0000020 207 301 037   [ 030 373   ~   B 005   i   p   a   1   8 005   d
0000040   e   v   e   l  \0 300 030  \v   i   p   a   1   8   -   d   e
0000060   v   e   l 300 030 005   I   P   A   1   8  \0  \n   I   P   A
0000100   1   8   D   E   V   E   L  \0  \0 027   D   e   f   a   u   l
0000120   t   -   F   i   r   s   t   -   S   i   t   e   -   N   a   m
0000140   e  \0 300   I 020 002  \0  \0  \0 177  \0  \0 001  \0  \0  \0
0000160  \0  \0  \0  \0  \0  \0 005  \0  \0  \0 377 377 377 377
0000176


The string before 'Default-First-Site-Name' is the NetBIOS name.

HTH
Comment 34 Scott Poore 2014-01-23 16:04:11 UTC 
Very cool.  If that binary file is predictable, I think I might be able to do it like this:

[root@long-host-name12345678 ~]# NBNAME=$(hexdump -C /tmp/ldapsearch-netlogon-xAmsNj |cut -f2 -d'|'|tr -d '\n'|sed  -e 's/\.*Default-First-Site-Name.*$//' -e 's/^.*\.\.//')

[root@long-host-name12345678 ~]# echo $NBNAME
LONG-HOST-NAME1

That may be enough for my tests as long as I can rely on that delimiter between Netbios Realm(?) and Host names.

[root@long-host-name12345678 ~]# CLDAP_NAME=$(hexdump -C /tmp/ldapsearch-netlogon-xAmsNj |cut -f2 -d'|'|tr -d '\n'|sed  -e 's/\.*Default-First-Site-Name.*$//' -e 's/^.*\.\.//')

[root@long-host-name12345678 ~]# NET_CONF_NAME=$(net conf list|grep -i "netbios name"|awk '{print $4}')

[root@long-host-name12345678 ~]# if [ "$CLDAP_NAME" = "$NET_CONF_NAME" ]; then echo same; else echo different; fi
different

[root@long-host-name12345678 ~]# echo "$CLDAP_NAME : $NET_CONF_NAME"
LONG-HOST-NAME1 : LONGHOSTNAME123

So I should be able to get something usable for a test.  Just need to get the new fix.
Comment 35 Martin Kosek 2014-01-23 17:16:37 UTC 
Fix pushed upstream:

master:
2bb2aa8c484285648e6f422a00006f0f00a352ef CLDAP: add unit tests for make_netbios_name
311b2b1acf00cab510eaa62306f5d61d2f9bf95f CLDAP: generate NetBIOS name like ipa-adtrust-install does
ipa-3-3:
17d6f27da33b99fb312d5bfdcf0a014caf093a1d CLDAP: add unit tests for make_netbios_name
c57ff0a9aae8e51de1de8671dc6c8d91a1f1af66 CLDAP: generate NetBIOS name like ipa-adtrust-install does
Comment 37 Scott Poore 2014-01-27 19:03:46 UTC 
Verified.

Version ::

ipa-server-3.3.3-15.el7.x86_64

Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_1030517:  RHEL7 ipa-adtrust-install should fail if netbios hostname longer than 15 characters
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 13:01:47 ] ::  Hostname longer than 15 chars, checking for bug
:: [   PASS   ] :: CLDAP NetBIOS NAME (LONGHOSTNAME123) matches net conf NetBIOS Name (LONGHOSTNAME123) 
administrator.test:*:551800500:551800500:Administrator:/home/ad2.example.test/administrator:
:: [   PASS   ] :: Running 'getent passwd 'AD2\Administrator'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/messages' should not contain 'GSSAPI.*KDC.*reject' 
:: [   PASS   ] :: BZ1030517 not found
Comment 38 Ludek Smid 2014-06-13 12:00:20 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.