1274259 – adcli joined machine cannot be ssh-ed into

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1274259 - adcli joined machine cannot be ssh-ed into

Summary: adcli joined machine cannot be ssh-ed into

Keywords:
Status:	CLOSED DUPLICATE of bug 1061371
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	realmd
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stef Walter
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-22 11:30 UTC by Jan Pazdziora
Modified:	2015-10-22 12:20 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-22 12:20:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jan Pazdziora 2015-10-22 11:30:43 UTC

Description of problem:

When machine is joined with realm join and the adcli method is used (default with realmd-0.16.1-3.el7.x86_64), ssh via gssapi-with-mic fails. When net ads join method is used (realmd-0.14.6-6.el7.x86_64), ssh works.

Version-Release number of selected component (if applicable):

realmd-0.16.1-3.el7.x86_64
adcli-0.7.5-4.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. realm join -v addomain.test
2. kinit bob
3. Make sure /etc/krb5.conf starts with includedir /var/lib/sss/pubconf/krb5.include.d/
4. ssh bob@$(hostname)

Actual results:

bob@machine.example.com's password: 

Expected results:

[bob@machine ~]$ 

Additional info:

Comment 1 Jan Pazdziora 2015-10-22 11:32:16 UTC

The difference seems to be in the keytab file content (the services):

On RHEL 7.1:

# klist -kt /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 10/22/2015 07:14:01 host/rhel71.addomain.test
   2 10/22/2015 07:14:01 host/rhel71.addomain.test
   2 10/22/2015 07:14:01 host/rhel71.addomain.test
   2 10/22/2015 07:14:01 host/rhel71.addomain.test
   2 10/22/2015 07:14:01 host/rhel71.addomain.test
   2 10/22/2015 07:14:01 host/rhel71
   2 10/22/2015 07:14:01 host/rhel71
   2 10/22/2015 07:14:01 host/rhel71
   2 10/22/2015 07:14:01 host/rhel71
   2 10/22/2015 07:14:01 host/rhel71
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST
   2 10/22/2015 07:14:02 RHEL71$@ADDOMAIN.TEST

On RHEL 7.2 nightly:

# klist -kt /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 RHEL72$@ADDOMAIN.TEST
   4 10/22/2015 07:29:11 HOST/RHEL72
   4 10/22/2015 07:29:11 HOST/RHEL72
   4 10/22/2015 07:29:11 HOST/RHEL72
   4 10/22/2015 07:29:11 HOST/RHEL72
   4 10/22/2015 07:29:11 HOST/RHEL72
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test
   4 10/22/2015 07:29:11 HOST/rhel72.addomain.test
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72
   4 10/22/2015 07:29:12 RestrictedKrbHost/RHEL72
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test
   4 10/22/2015 07:29:12 RestrictedKrbHost/rhel72.addomain.test

The uppercase HOST/ seems to be the cause of the problem.

Comment 2 Jan Pazdziora 2015-10-22 11:34:04 UTC

I'm aware that the change of the default is being reverted in bug 1271618.

But still, using --membership-software=adcli produces the incorrect setup.

Feel free to move to adcli -- I was not sure if realmd has something to do with the result or not.

Comment 3 Jan Pazdziora 2015-10-22 11:38:06 UTC

(In reply to Jan Pazdziora from comment #2)
> I'm aware that the change of the default is being reverted in bug 1271618.
> 
> But still, using --membership-software=adcli produces the incorrect setup.

Specifically, even with RHEL 7.1's

  realmd-0.14.6-6.el7.x86_64
  adcli-0.7.5-4.el7.x86_64

using

  realm join -v --membership-software=adcli addomain.test

produces broken setup. So it's not a regression but long-standing issue, if the default is not changing..

Comment 4 Jan Pazdziora 2015-10-22 11:42:25 UTC

https://bugs.freedesktop.org/show_bug.cgi?id=84749

Comment 5 Martin Kosek 2015-10-22 11:45:05 UTC

What I see as important information related to RHEL-7.2 consideration is that realmd join should work fine, when run *without* "--membership-software=adcli".

This works in realmd-0.16.1-5.el7.x86_64 or later.

Comment 6 Stef Walter 2015-10-22 12:20:00 UTC


*** This bug has been marked as a duplicate of bug 1061371 ***

Note You need to log in before you can comment on or make changes to this bug.