Bug 1274259 - adcli joined machine cannot be ssh-ed into
adcli joined machine cannot be ssh-ed into
Status: CLOSED DUPLICATE of bug 1061371
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Stef Walter
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-22 07:30 EDT by Jan Pazdziora
Modified: 2015-10-22 08:20 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-22 08:20:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2015-10-22 07:30:43 EDT
Description of problem:

When machine is joined with realm join and the adcli method is used (default with realmd-0.16.1-3.el7.x86_64), ssh via gssapi-with-mic fails. When net ads join method is used (realmd-0.14.6-6.el7.x86_64), ssh works.

Version-Release number of selected component (if applicable):

realmd-0.16.1-3.el7.x86_64
adcli-0.7.5-4.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. realm join -v addomain.test
2. kinit bob@ADDOMAIN.TEST
3. Make sure /etc/krb5.conf starts with includedir /var/lib/sss/pubconf/krb5.include.d/
4. ssh bob@ADDOMAIN.TEST@$(hostname)

Actual results:

bob@ADDOMAIN.TEST@machine.example.com's password: 

Expected results:

[bob@ADDOMAIN.TEST@machine ~]$ 

Additional info:
Comment 1 Jan Pazdziora 2015-10-22 07:32:16 EDT
The difference seems to be in the keytab file content (the services):

On RHEL 7.1:

# klist -kt /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 10/22/2015 07:14:01 host/rhel71.addomain.test@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71.addomain.test@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71.addomain.test@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71.addomain.test@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71.addomain.test@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71@ADDOMAIN.TEST
   2 10/22/2015 07:14:01 host/rhel71@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST

On RHEL 7.2 nightly:

# klist -kt /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test@ADDOMAIN.TEST
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test@ADDOMAIN.TEST

The uppercase HOST/ seems to be the cause of the problem.
Comment 2 Jan Pazdziora 2015-10-22 07:34:04 EDT
I'm aware that the change of the default is being reverted in bug 1271618.

But still, using --membership-software=adcli produces the incorrect setup.

Feel free to move to adcli -- I was not sure if realmd has something to do with the result or not.
Comment 3 Jan Pazdziora 2015-10-22 07:38:06 EDT
(In reply to Jan Pazdziora from comment #2)
> I'm aware that the change of the default is being reverted in bug 1271618.
> 
> But still, using --membership-software=adcli produces the incorrect setup.

Specifically, even with RHEL 7.1's

  realmd-0.14.6-6.el7.x86_64
  adcli-0.7.5-4.el7.x86_64

using

  realm join -v --membership-software=adcli addomain.test

produces broken setup. So it's not a regression but long-standing issue, if the default is not changing..
Comment 4 Jan Pazdziora 2015-10-22 07:42:25 EDT
https://bugs.freedesktop.org/show_bug.cgi?id=84749
Comment 5 Martin Kosek 2015-10-22 07:45:05 EDT
What I see as important information related to RHEL-7.2 consideration is that realmd join should work fine, when run *without* "--membership-software=adcli".

This works in realmd-0.16.1-5.el7.x86_64 or later.
Comment 6 Stef Walter 2015-10-22 08:20:00 EDT

*** This bug has been marked as a duplicate of bug 1061371 ***

Note You need to log in before you can comment on or make changes to this bug.