Bug 1258488 - Join to AD with adcli and defined computer-ou fails
Summary: Join to AD with adcli and defined computer-ou fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-31 13:28 UTC by Patrik Kis
Modified: 2016-11-04 07:46 UTC (History)
6 users (show)

Fixed In Version: realmd-0.16.1-6.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 07:46:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2511 0 normal SHIPPED_LIVE realmd bug fix and enhancement update 2016-11-03 14:14:00 UTC

Description Patrik Kis 2015-08-31 13:28:33 UTC 
Description of problem:
Not sure if this is adlci or realmd issue, but I have an impression that adcli does not fully support this option. So either it should be implemented/fixed in adcli or prevent realmd to use predeficed computer-ou and adcli for join.

Version-Release number of selected component (if applicable):
adcli-0.7.5-4.el7
realmd-0.16.1-3.el7
but the old realmd-0.14.6-6.el7 has this issue too

How reproducible:
always

Steps to Reproduce:
echo -n <password> | adcli join --verbose --domain <ad_domain> --domain-realm <AD_REALM> --domain-controller <ad_ip> --login-type user --login-user <login_user> --computer-ou OU=<OU> --stdin-password

Actual results:

Either

 ! Couldn't lookup computer container: 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0

adcli: joining domain ad.baseos.qe failed: Couldn't lookup computer container: 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 

if the computer record does not exist in AD at all, or if it exists then the following error is displayed:

adcli: joining domain <ad_domain> failed: The computer account <machine_hostname> already exists, but is not in the desired organizational unit.
Comment 2 Patrik Kis 2015-08-31 13:32:10 UTC 
NOTE, that in realmd-0.16.1-3.el7 adcli become the default membership software so this issue might be more visible.
Changing the target release to RHEL-7.2, but leave the decision to fix/postpone to devel as the issue is not that critical and have a en easy workaround (--membership-software=samba).
Comment 5 Stef Walter 2015-09-07 11:09:21 UTC 
The adcli command line is incorrect. The adcli documentation states:

       -O, --domain-ou=OU=xxx
           The full distinguished name of the OU in which to create the computer
           account. If not specified then the computer account will be
           created in a default location.

In other words, an argument like OU=TestOU is an incomplete OU. If you are driving adcli directly, please specify the full OU, like this: OU=TestOU,DC=example,DC=com
Comment 6 Stef Walter 2015-09-07 11:14:20 UTC 
So workaround for this is to specify a full DN to the realm client --computer-ou command.

So I think this is a realmd bug. It should perform the qualification automatically before handing it off to adcli.
Comment 8 Stef Walter 2015-09-07 11:51:37 UTC 
Fixed upstream here: http://cgit.freedesktop.org/realmd/realmd/commit/?id=3db35ad73ec57c8af499a0dcef96ffd4da914236
Comment 17 lejeczek 2016-05-12 12:57:40 UTC 
it would be nice to have it fixed, more than half a year later and admins still bog down there.
Comment 21 errata-xmlrpc 2016-11-04 07:46:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2511.html
Note You need to log in before you can comment on or make changes to this bug.