Bug 1271618 – net ads keytab add fails on system joined to AD with RHEL 7.2 realm join

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1271618 - net ads keytab add fails on system joined to AD with RHEL 7.2 realm join

Summary:	net ads keytab add fails on system joined to AD with RHEL 7.2 realm join

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	realmd (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Stef Walter
QA Contact:	Patrik Kis
Docs Contact:

URL:
Whiteboard:
Keywords:	Regression

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-10-14 07:51 EDT by Jan Pazdziora
Modified:	2018-06-01 06:35 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	realmd-0.16.1-5.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-18 22:44:13 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	stefw: needinfo-

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2184	normal	SHIPPED_LIVE	Moderate: realmd security, bug fix, and enhancement update	2015-11-19 02:51:28 EST

Groups: None (edit)

Description Jan Pazdziora 2015-10-14 07:51:39 EDT

Description of problem:

When RHEL system is joined to AD using realm join on RHEL 7.1 (realmd-0.14.6-6.el7, samba-common-4.1.12-21.el7_1), running net ads keytab add HTTP passes, with RHEL 7.1 code or with RHEL 7.2 code.

When however the system is joined to AD using realm join on RHEL 7.1 (realmd-0.16.1-3.el7, with or without samba-common-tools-4.2.3-7.el7 installed (to get /usr/bin/net)), that same net ads keytab add command fails.

Version-Release number of selected component (if applicable):

adcli-0.7.5-4.el7.x86_64
realmd-0.16.1-3.el7.x86_64
samba-common-tools-4.2.3-7.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y sssd adcli realmd /usr/bin/net
2. If your RHEL machine by default does not have DNS pointed to the Active Directory server, do something like

    cp /etc/resolv.conf /etc/resolv.conf.backup
    echo nameserver 11.12.13.14 > /etc/resolv.conf

3. In the commands below, we assume the AD realm is ADDOMAIN.TEST and the workgroup is ADDOMAIN:

    cat > /etc/net-keytab.conf <<EOF
[global]
   workgroup = ADDOMAIN
   realm = ADDOMAIN.TEST
   kerberos method = system keytab
   security = ads
EOF

4. realm join -v addomain.test
5. KRB5_KTNAME=FILE:/etc/gssproxy/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf

Actual results:

Successfully contacted LDAP server 10.11.12.13
Connected to LDAP server SERVER.ADDOMAIN.TEST
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
../source3/libads/kerberos_keytab.c:312: failed to fetch machine password
return code = -1

Expected results:

Successfully contacted LDAP server 10.12.13.14
Connected to LDAP server SERVER.ADDOMAIN.TEST
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
../source3/libads/kerberos_keytab.c:389: Attempting to add/update 'HTTP/client.example.com@ADDOMAIN.TEST'
ads_add_service_principal_name: Host account for CLIENT found
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com@ADDOMAIN.TEST) with encryption type (1) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com@ADDOMAIN.TEST) with encryption type (3) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com@ADDOMAIN.TEST) with encryption type (17) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com@ADDOMAIN.TEST) with encryption type (18) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com@ADDOMAIN.TEST) with encryption type (23) and version (2)
../source3/libads/kerberos_keytab.c:65: Will try to delete old keytab entries
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client@ADDOMAIN.TEST) with encryption type (1) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client@ADDOMAIN.TEST) with encryption type (3) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client@ADDOMAIN.TEST) with encryption type (17) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client@ADDOMAIN.TEST) with encryption type (18) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client@ADDOMAIN.TEST) with encryption type (23) and version (2)
return code = 0

Additional info:

Comment 1 Jan Pazdziora 2015-10-14 07:53:10 EDT

On RHEL 7.1, realm join -v calls

/usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SZG75X -U Administrator ads join ADDOMAIN.TEST

On RHEL 7.2, invocation of /usr/bin/net is not shown. Perhaps the machine is now joined differently which leaves it in state in which the service keytab cannot be retrieved.

Comment 2 Jan Pazdziora 2015-10-14 07:56:38 EDT

The scenario above is documented for Satellite 6 at

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/sect-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication-Using_Active_Directory_Directly.html

so this bugzilla is a blocker for the layered product.

Comment 3 Stef Walter 2015-10-14 13:51:08 EDT

In realmd 0.16.x adcli became the default membership software for performing AD joins. This change is 70878dec6e23226ab25f731654ab53cc0e7b11c3 upstream.

So we have two choices:

 * Revert the upstream patch for RHEL 7.2
 * Tell people to use --membership-software=samba if they want to use samba commands on the joined system.

Please let me know which is preferred.

Comment 4 Martin Kosek 2015-10-14 14:42:40 EDT

I will let Jan to chime in here, but IMO, forcing people to suddenly start using extra option to make realmd working would not be a great experience (as proven by this bug). So reverting the patch (or changing the defaults to match 7.1 behavior) seems as a better choice here.

Comment 5 Guenther Deschner 2015-10-14 16:24:27 EDT

(In reply to Martin Kosek from comment #4)
> I will let Jan to chime in here, but IMO, forcing people to suddenly start
> using extra option to make realmd working would not be a great experience
> (as proven by this bug). So reverting the patch (or changing the defaults to
> match 7.1 behavior) seems as a better choice here.

Yes, I think so too.

Comment 6 Jan Pazdziora 2015-10-15 03:28:18 EDT

(In reply to Stef Walter from comment #3)
> In realmd 0.16.x adcli became the default membership software for performing
> AD joins. This change is 70878dec6e23226ab25f731654ab53cc0e7b11c3 upstream.
> 
> So we have two choices:
> 
>  * Revert the upstream patch for RHEL 7.2
>  * Tell people to use --membership-software=samba if they want to use samba
> commands on the joined system.

I confirm that using

   realm join --membership-software=samba -v addomain.test

makes subsequent net ads keytab add HTTP call pass. It should be fairly easy to amend the Satellite documentation.

If the user already has the Satellite machine joined to AD with adcli for whatever reason, is there a way to retain that and add necessary Samba setup for net ads keytab to work?

Is there a way to retrieve the keytab for the HTTP/ service with adcli stack?

Comment 17 Stef Walter 2015-10-16 13:21:05 EDT

Thanks Libor. The resulting build is here: https://brewweb.devel.redhat.com/taskinfo?taskID=9970259

Comment 18 Stef Walter 2015-10-16 13:23:26 EDT

After discussion we decided to implement both:

 * Revert the upstream patch for RHEL 7.2
 * Tell people to use --membership-software=samba if they want to use samba commands on the joined system.

Comment 29 errata-xmlrpc 2015-11-18 22:44:13 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2184.html

Comment 30 Daniel Lobato Garcia 2017-01-11 12:45:33 EST

I'm seeing this issue again with realmd 0.16.1.9 , check some logs on https://gist.github.com/2952399a62a233dc9a0edd711ed0486a

Comment 31 Jan Pazdziora 2017-01-13 04:22:45 EST

(In reply to Daniel Lobato Garcia from comment #30)
> I'm seeing this issue again with realmd 0.16.1.9 , check some logs on
> https://gist.github.com/2952399a62a233dc9a0edd711ed0486a

I suggest you open new bugzilla as there likely won't be any reopening under this one.

Note You need to log in before you can comment on or make changes to this bug.