1370457 – Make sure samba membership-software can use manually set NetBIOS name during 'realm leave --remove'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1370457 - Make sure samba membership-software can use manually set NetBIOS name during 'realm leave --remove'

Summary: Make sure samba membership-software can use manually set NetBIOS name during ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	realmd
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	Patrik Kis
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1550132
TreeView+	depends on / blocked

Reported:	2016-08-26 11:30 UTC by Sumit Bose
Modified:	2018-10-30 11:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:	realmd-0.16.1-11.el7
Doc Type:	Known Issue
Doc Text:	_realmd_ fails to remove the computer account from AD Red Hat Enterprise Linux uses Samba as default back end for Active Directory (AD) domain memberships. In this case, if you manually set a computer name using the "--computer-name" option with the "realm join" command, the account cannot be removed from AD when you leave the domain. To work around this problem, do not use the "--computer-name" option and instead add the computer name to the `/etc/realmd.conf` file. For example: [domain.example.com] computer-name = host_name With the workaround, the host is successfully joined to the domain and the account is automatically removed if you leave the domain using the "realm leave --remove" command.
Clone Of:
Environment:
Last Closed:	2018-10-30 11:02:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3190	0	None	None	None	2018-10-30 11:02:11 UTC

Description Sumit Bose 2016-08-26 11:30:27 UTC

Description of problem:

Currently when using the Samba membership software (default with RHEL) a manually set computer name (NetBIOS name) which differs from the first part of the DNS hostname must be added to /etc/realmd.conf to be able to remove the host entry properly in AD while leaving the domain. See comments #10 and #11 in https://bugzilla.redhat.com/show_bug.cgi?id=1293390 for details.

It would be nice if realmd can determine the right name by parsing /etc/krb5.keytab and providing it to the Samba mebership software.

Comment 12 Sudhir Menon 2018-09-04 05:51:26 UTC

Tested on Red Hat Enterprise Linux Client release 7.6 Beta (Maipo) using realmd-0.16.1-11.el7.x86_64 and Windows 2016 AD enviornment.


====Scenario1 (hostname with more than 15 characters====
[root@ipaclientfin03454 #]hostname
ipaclientfin03454.ipaad2016.test

[root@ipaclientfin03454 log]# realm -v join --user=administrator --client-software=sssd --membership-software=samba idm-qe-ipa-ci1.ipaad2016.test 
 * Resolving: _ldap._tcp.idm-qe-ipa-ci1.ipaad2016.test
 * Resolving: idm-qe-ipa-ci1.ipaad2016.test
 * Performing LDAP DSE lookup on: 
 * Successfully discovered: ipaad2016.test
Password for administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * Joining using a truncated netbios name: IPACLIENTFIN034
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.4AFPOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads join ipaad2016.test
Enter administrator's password: 
DNS update failed: NT_STATUS_INVALID_PARAMETER

Using short domain name -- IPAAD2016
Joined 'IPACLIENTFIN034' to dns domain 'ipaad2016.test'
No DNS domain configured for ipaclientfin034. Unable to perform DNS Update.
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.4AFPOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads keytab create
Enter administrator's password:Secret123

 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


[root@ipaclientfin03454 log]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=ipaclientfin034,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
dn: CN=IPACLIENTFIN034,CN=Computers,DC=ipaad2016,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: IPACLIENTFIN034
distinguishedName: CN=IPACLIENTFIN034,CN=Computers,DC=ipaad2016,DC=test
instanceType: 4
whenCreated: 20180903122842.0Z
whenChanged: 20180903122853.0Z
uSNCreated: 406778
uSNChanged: 406784
name: IPACLIENTFIN034
objectGUID:: AdbnXpi+wkirzjAN0nRtoA==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131804513677918269
localPolicyFlags: 0
pwdLastSet: 131804513243582646
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAANxZ3MMMmdt5x1jFfBSMAAA==
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: IPACLIENTFIN034$
sAMAccountType: 805306369
dNSHostName: ipaclientfin034.ipaad2016.test
servicePrincipalName: HOST/ipaclientfin034.ipaad2016.test
servicePrincipalName: HOST/IPACLIENTFIN034
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ipaad2016,DC=test
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131804513334025471
msDS-SupportedEncryptionTypes: 31


[root@ipaclientfin03454 log]# realm -v leave --remove --user=administrator
Password for administrator: 
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SC6EOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads leave
Enter administrator's password:***

Deleted account for 'IPACLIENTFIN034' in realm 'IPAAD2016.TEST'
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
No cache object matched the specified search
 ! Flushing the sssd cache failed
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service.
 * /usr/bin/systemctl stop sssd.service
 * Successfully unenrolled machine from realm


[root@ipaclientfin03454 log]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=ipaclientfin03454,CN=Computers,dc=ad,dc=ipaad2016,dc=test -s sub '*'
No such object (32)
Matched DN: DC=ipaad2016,DC=test
Additional information: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=ipaad2016,DC=test'

[root@ipaclientfin03454 log]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=ipaclientfin034,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
No such object (32)
Matched DN: CN=Computers,DC=ipaad2016,DC=test
Additional information: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Computers,DC=ipaad2016,DC=test'

==== Scenario2 using computer-name option ===
[root@ipaclientfin03454 ~]# realm -v join --user=administrator --client-software=sssd --membership-software=samba --computer-name=bz1370457 idm-qe-ipa-ci1.ipaad2016.test
 * Resolving: _ldap._tcp.idm-qe-ipa-ci1.ipaad2016.test
 * Resolving: idm-qe-ipa-ci1.ipaad2016.test
 * Performing LDAP DSE lookup on: 
 * Successfully discovered: ipaad2016.test
Password for administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * Joining using a manual netbios name: bz1370457
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.PFGKOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads join ipaad2016.test
Enter administrator's password:
DNS update failed: NT_STATUS_INVALID_PARAMETER

Using short domain name -- IPAAD2016
Joined 'BZ1370457' to dns domain 'ipaad2016.test'
No DNS domain configured for bz1370457. Unable to perform DNS Update.
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.PFGKOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads keytab create
Enter administrator's password:

 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm


[root@ipaclientfin03454 ~]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=bz1370457,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
dn: CN=BZ1370457,CN=Computers,DC=ipaad2016,DC=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: BZ1370457
distinguishedName: CN=BZ1370457,CN=Computers,DC=ipaad2016,DC=test
instanceType: 4
whenCreated: 20180903140130.0Z
whenChanged: 20180903140145.0Z
uSNCreated: 407280
uSNChanged: 407286
name: BZ1370457
objectGUID:: va0OlMKNyECZlJIFUCVACg==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131804569406673518
localPolicyFlags: 0
pwdLastSet: 131804568920262681
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAANxZ3MMMmdt5x1jFfGiMAAA==
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: BZ1370457$
sAMAccountType: 805306369
dNSHostName: bz1370457.ipaad2016.test
servicePrincipalName: HOST/bz1370457.ipaad2016.test
servicePrincipalName: HOST/BZ1370457
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ipaad2016,DC=test
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131804569058866207
msDS-SupportedEncryptionTypes: 31

[root@ipaclientfin03454 ~]# realm -v leave --remove --user=administrator
Password for administrator: 
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.XYMBOZ -S idm-qe-ipa-ci1.ipaad2016.test -U administrator ads leave
Enter administrator's password:

Deleted account for 'BZ1370457' in realm 'IPAAD2016.TEST'
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
No cache object matched the specified search
 ! Flushing the sssd cache failed
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service.
 * /usr/bin/systemctl stop sssd.service
 * Successfully unenrolled machine from realm

[root@ipaclientfin03454 ~]# ldapsearch -x -LLL -H ldap://idm-qe.ipaad2016.test -w '***' -D administrator -b CN=bz1370457,CN=Computers,dc=ipaad2016,dc=test -s sub '*'
No such object (32)
Matched DN: CN=Computers,DC=ipaad2016,DC=test
Additional information: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
	'CN=Computers,DC=ipaad2016,DC=test'

Comment 14 errata-xmlrpc 2018-10-30 11:02:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3190

Note You need to log in before you can comment on or make changes to this bug.