Bug 1267319 - adcli builds keytab incompatible with openssh GSSAPI
Summary: adcli builds keytab incompatible with openssh GSSAPI
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: adcli
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-29 15:46 UTC by John Beranek
Modified: 2016-01-04 23:54 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-01-04 23:54:13 UTC


Attachments (Terms of Use)

Description John Beranek 2015-09-29 15:46:30 UTC
Description of problem:

When adcli is used to join an AD domain creates a keytab (/etc/krb5.keytab) which is not compatible with logging in to the OpenSSH server using GSSAPI authentication

In particular it uses an SPN like:

HOST/server1.example.com@EXAMPLE.COM

when openSSH expects:

host/server1.example.com@EXAMPLE.COM

This problem has been fixed in upstream adcli, but is not in a released version. See:

https://bugs.freedesktop.org/show_bug.cgi?id=84749
http://cgit.freedesktop.org/realmd/adcli/commit/?id=ec132a3add4c41a9c1efa6c12b2c900df66151d1


Version-Release number of selected component (if applicable):

adcli-0.7.3-1.el6.x86_64

How reproducible:


Steps to Reproduce:
1.Delete /etc/krb5.keytab
2.Use 'adcli join example.com' to join the domain
3.Try to login to the machine from an AD-integrated Windows machine using something like GSSAPI-enabled PuTTY

Actual results:

User is prompted for a password

Expected results:

User can login with a password

Additional info:

Comment 1 John Beranek 2015-09-29 15:48:18 UTC
Correction to "Expected results", it should read:

User can login WITHOUT a password

Comment 2 John Beranek 2015-09-29 15:50:14 UTC
Workaround is to add something like the following to the "adcli join" command:

--user-principal="host/`hostname`@EXAMPLE.COM"

Comment 3 Fedora Update System 2015-10-19 10:34:52 UTC
adcli-0.7.6-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0fbdddc742

Comment 4 Fedora Update System 2015-10-19 16:24:38 UTC
adcli-0.7.6-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update adcli'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0fbdddc742

Comment 5 Fedora Update System 2015-12-17 13:45:33 UTC
adcli-0.8.0-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-bb1a6feaea

Comment 6 Fedora Update System 2015-12-18 14:19:36 UTC
adcli-0.8.0-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update adcli'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-bb1a6feaea

Comment 7 Fedora Update System 2016-01-04 23:54:11 UTC
adcli-0.8.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.