Hide Forgot
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Versions: ========= sssd-krb5-common-1.14.0-21.el7.x86_64 sssd-krb5-1.14.0-21.el7.x86_64 python-sssdconfig-1.14.0-21.el7.noarch sssd-common-1.14.0-21.el7.x86_64 sssd-common-pac-1.14.0-21.el7.x86_64 sssd-ldap-1.14.0-21.el7.x86_64 sssd-proxy-1.14.0-21.el7.x86_64 sssd-ipa-1.14.0-21.el7.x86_64 sssd-1.14.0-21.el7.x86_64 sssd-client-1.14.0-21.el7.x86_64 sssd-ad-1.14.0-21.el7.x86_64 RHEL Version: ============= Red Hat Enterprise Linux Server release 7.3 Beta (Maipo) 1. Join system to Windows 2012 R2 using adcli [root@test-cloud-qe3 ~]# echo 'Secret123' | adcli join --domain=sssdad2012r2.com -U Administrator -v --stdin-password -v * Using domain name: sssdad2012r2.com * Calculated computer account name from fqdn: TEST-CLOUD-QE3 * Calculated domain realm from name: SSSDAD2012R2.COM * Discovering domain controllers: _ldap._tcp.sssdad2012r2.com * Sending netlogon pings to domain controller: ldap://[2620:52:0:83f:408a:ef53:8e36:1348] * Sending netlogon pings to domain controller: cldap://10.8.63.41 * Sending netlogon pings to domain controller: ldap://[2620:52:0:83f:5cc:7b0a:c313:8c37] * Sending netlogon pings to domain controller: cldap://10.8.63.40 * Received NetLogon info from: bsod2-bdc.sssdad2012r2.com * Wrote out krb5.conf snippet to /tmp/adcli-krb5-6A1ngg/krb5.d/adcli-krb5-conf-3R0XN8 * Authenticated as user: Administrator@SSSDAD2012R2.COM * Looked up short domain name: SSSDAD2012R2 * Using fully qualified name: test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Using domain name: sssdad2012r2.com * Using computer account name: TEST-CLOUD-QE3 * Using domain realm: sssdad2012r2.com * Calculated computer account name from fqdn: TEST-CLOUD-QE3 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for TEST-CLOUD-QE3$ does not exist * Found well known computer container at: CN=Computers,DC=sssdad2012r2,DC=com * Calculated computer account: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com * Created computer account: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com * Set computer password * Retrieved kvno '2' for computer account in directory: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com * Modifying computer account: dNSHostName * Modifying computer account: userAccountControl * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack * Modifying computer account: userPrincipalName ! Couldn't authenticate with keytab while discovering which salt to use: TEST-CLOUD-QE3$@SSSDAD2012R2.COM: Client 'TEST-CLOUD-QE3$@SSSDAD2012R2.COM' not found in Kerberos database * Added the entries to the keytab: TEST-CLOUD-QE3$@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/TEST-CLOUD-QE3@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab 2. Configure sssd.conf and set maximum machine account password age to 1 day [sssd] config_file_version = 2 domains = sssdad2012r2.com services = nss, pam [domain/sssdad2012r2.com] id_provider = ad auth_provider = ad access_provider = ad fallback_homedir = /home/%d/%u use_fully_qualified_names = True ad_maximum_machine_account_password_age = 1 ad_machine_account_password_renewal_opts = 300:15 debug_level = 9 3. Restart sssd service 4. Move the system date on RHEL7.3 and Windows system to 2 days ahead 5. sssd calls adcli to renew machine account (Fri Aug 19 02:39:47 2016) [sssd[be[sssdad2012r2.com]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start--- * Found realm in keytab: SSSDAD2012R2.COM * Found computer name in keytab: TEST-CLOUD-QE3 * Found service principal in keytab: host/TEST-CLOUD-QE3 * Found service principal in keytab: host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Found host qualified name in keytab: host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Found service principal in keytab: RestrictedKrbHost/TEST-CLOUD-QE3 * Found service principal in keytab: RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Using fully qualified name: test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Using domain name: sssdad2012r2.com * Calculated computer account name from fqdn: TEST-CLOUD-QE3 * Using domain realm: sssdad2012r2.com * Sending netlogon pings to domain controller: ldap://[2620:52:0:83f:5cc:7b0a:c313:8c37] * Sending netlogon pings to domain controller: cldap://10.8.63.40 * Received NetLogon info from: bsod2.sssdad2012r2.com * Wrote out krb5.conf snippet to /tmp/adcli-krb5-bgY5ed/krb5.d/adcli-krb5-conf-7lDPSN * Authenticated as default/reset computer account: TEST-CLOUD-QE3 * Looked up short domain name: SSSDAD2012R2 * Using fully qualified name: test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Using domain name: sssdad2012r2.com * Using computer account name: TEST-CLOUD-QE3 * Using domain realm: sssdad2012r2.com * Using fully qualified name: test-cloud-qe3.idmqe.lab.eng.bos.redhat.com * Enrolling computer name: TEST-CLOUD-QE3 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for TEST-CLOUD-QE3$ at: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com * Retrieved kvno '2' for computer account in directory: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com * Changed computer password * kvno incremented to 3 * Modifying computer account: userAccountControl ! Couldn't set userAccountControl on computer account: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com: Insufficient access * Updated existing computer account: CN=TEST-CLOUD-QE3,CN=Computers,DC=sssdad2012r2,DC=com * Discovered which keytab salt to use * Added the entries to the keytab: TEST-CLOUD-QE3$@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/TEST-CLOUD-QE3@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM: FILE:/etc/krb5.keytab ---adcli output end--- (Fri Aug 19 02:39:47 2016) [sssd[be[sssdad2012r2.com]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully [root@test-cloud-qe3 ~]# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 2 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 2 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 2 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 2 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 2 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 2 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 2 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 2 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 3 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 3 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 3 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 3 TEST-CLOUD-QE3$@SSSDAD2012R2.COM 3 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 host/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 host/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 RestrictedKrbHost/TEST-CLOUD-QE3@SSSDAD2012R2.COM 3 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM 3 RestrictedKrbHost/test-cloud-qe3.idmqe.lab.eng.bos.redhat.com@SSSDAD2012R2.COM
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html