RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1271618 - net ads keytab add fails on system joined to AD with RHEL 7.2 realm join
Summary: net ads keytab add fails on system joined to AD with RHEL 7.2 realm join
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stef Walter
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-14 11:51 UTC by Jan Pazdziora (Red Hat)
Modified: 2018-06-01 10:35 UTC (History)
13 users (show)

Fixed In Version: realmd-0.16.1-5.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 03:44:13 UTC
Target Upstream Version:
Embargoed:
stefw: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2184 0 normal SHIPPED_LIVE Moderate: realmd security, bug fix, and enhancement update 2015-11-19 07:51:28 UTC

Description Jan Pazdziora (Red Hat) 2015-10-14 11:51:39 UTC 
Description of problem:

When RHEL system is joined to AD using realm join on RHEL 7.1 (realmd-0.14.6-6.el7, samba-common-4.1.12-21.el7_1), running net ads keytab add HTTP passes, with RHEL 7.1 code or with RHEL 7.2 code.

When however the system is joined to AD using realm join on RHEL 7.1 (realmd-0.16.1-3.el7, with or without samba-common-tools-4.2.3-7.el7 installed (to get /usr/bin/net)), that same net ads keytab add command fails.

Version-Release number of selected component (if applicable):

adcli-0.7.5-4.el7.x86_64
realmd-0.16.1-3.el7.x86_64
samba-common-tools-4.2.3-7.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y sssd adcli realmd /usr/bin/net
2. If your RHEL machine by default does not have DNS pointed to the Active Directory server, do something like

    cp /etc/resolv.conf /etc/resolv.conf.backup
    echo nameserver 11.12.13.14 > /etc/resolv.conf

3. In the commands below, we assume the AD realm is ADDOMAIN.TEST and the workgroup is ADDOMAIN:

    cat > /etc/net-keytab.conf <<EOF
[global]
   workgroup = ADDOMAIN
   realm = ADDOMAIN.TEST
   kerberos method = system keytab
   security = ads
EOF

4. realm join -v addomain.test
5. KRB5_KTNAME=FILE:/etc/gssproxy/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf

Actual results:

Successfully contacted LDAP server 10.11.12.13
Connected to LDAP server SERVER.ADDOMAIN.TEST
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
../source3/libads/kerberos_keytab.c:312: failed to fetch machine password
return code = -1

Expected results:

Successfully contacted LDAP server 10.12.13.14
Connected to LDAP server SERVER.ADDOMAIN.TEST
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore
../source3/libads/kerberos_keytab.c:389: Attempting to add/update 'HTTP/client.example.com'
ads_add_service_principal_name: Host account for CLIENT found
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com) with encryption type (1) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com) with encryption type (3) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com) with encryption type (17) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com) with encryption type (18) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client.example.com) with encryption type (23) and version (2)
../source3/libads/kerberos_keytab.c:65: Will try to delete old keytab entries
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client) with encryption type (1) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client) with encryption type (3) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client) with encryption type (17) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client) with encryption type (18) and version (2)
../source3/libads/kerberos_keytab.c:237: adding keytab entry for (HTTP/client) with encryption type (23) and version (2)
return code = 0

Additional info:
Comment 1 Jan Pazdziora (Red Hat) 2015-10-14 11:53:10 UTC 
On RHEL 7.1, realm join -v calls

/usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SZG75X -U Administrator ads join ADDOMAIN.TEST

On RHEL 7.2, invocation of /usr/bin/net is not shown. Perhaps the machine is now joined differently which leaves it in state in which the service keytab cannot be retrieved.
Comment 2 Jan Pazdziora (Red Hat) 2015-10-14 11:56:38 UTC 
The scenario above is documented for Satellite 6 at

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/sect-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication-Using_Active_Directory_Directly.html

so this bugzilla is a blocker for the layered product.
Comment 3 Stef Walter 2015-10-14 17:51:08 UTC 
In realmd 0.16.x adcli became the default membership software for performing AD joins. This change is 70878dec6e23226ab25f731654ab53cc0e7b11c3 upstream.

So we have two choices:

 * Revert the upstream patch for RHEL 7.2
 * Tell people to use --membership-software=samba if they want to use samba commands on the joined system.

Please let me know which is preferred.
Comment 4 Martin Kosek 2015-10-14 18:42:40 UTC 
I will let Jan to chime in here, but IMO, forcing people to suddenly start using extra option to make realmd working would not be a great experience (as proven by this bug). So reverting the patch (or changing the defaults to match 7.1 behavior) seems as a better choice here.
Comment 5 Guenther Deschner 2015-10-14 20:24:27 UTC 
(In reply to Martin Kosek from comment #4)
> I will let Jan to chime in here, but IMO, forcing people to suddenly start
> using extra option to make realmd working would not be a great experience
> (as proven by this bug). So reverting the patch (or changing the defaults to
> match 7.1 behavior) seems as a better choice here.

Yes, I think so too.
Comment 6 Jan Pazdziora (Red Hat) 2015-10-15 07:28:18 UTC 
(In reply to Stef Walter from comment #3)
> In realmd 0.16.x adcli became the default membership software for performing
> AD joins. This change is 70878dec6e23226ab25f731654ab53cc0e7b11c3 upstream.
> 
> So we have two choices:
> 
>  * Revert the upstream patch for RHEL 7.2
>  * Tell people to use --membership-software=samba if they want to use samba
> commands on the joined system.

I confirm that using

   realm join --membership-software=samba -v addomain.test

makes subsequent net ads keytab add HTTP call pass. It should be fairly easy to amend the Satellite documentation.

If the user already has the Satellite machine joined to AD with adcli for whatever reason, is there a way to retain that and add necessary Samba setup for net ads keytab to work?

Is there a way to retrieve the keytab for the HTTP/ service with adcli stack?
Comment 17 Stef Walter 2015-10-16 17:21:05 UTC 
Thanks Libor. The resulting build is here: https://brewweb.devel.redhat.com/taskinfo?taskID=9970259
Comment 18 Stef Walter 2015-10-16 17:23:26 UTC 
After discussion we decided to implement both:

 * Revert the upstream patch for RHEL 7.2
 * Tell people to use --membership-software=samba if they want to use samba commands on the joined system.
Comment 29 errata-xmlrpc 2015-11-19 03:44:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2184.html
Comment 30 Daniel Lobato Garcia 2017-01-11 17:45:33 UTC 
I'm seeing this issue again with realmd 0.16.1.9 , check some logs on https://gist.github.com/2952399a62a233dc9a0edd711ed0486a
Comment 31 Jan Pazdziora (Red Hat) 2017-01-13 09:22:45 UTC 
(In reply to Daniel Lobato Garcia from comment #30)
> I'm seeing this issue again with realmd 0.16.1.9 , check some logs on
> https://gist.github.com/2952399a62a233dc9a0edd711ed0486a

I suggest you open new bugzilla as there likely won't be any reopening under this one.
Note You need to log in before you can comment on or make changes to this bug.