Bug 1475322 - Suggested realm command to join AD with a specific user doesn't work
Suggested realm command to join AD with a specific user doesn't work
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Windows_Integration_Guide (Show other bugs)
7.3
Unspecified Linux
high Severity medium
: rc
: ---
Assigned To: Filip Hanzelka
ipa-qe
: Documentation, EasyFix
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-26 08:38 EDT by Benjamin Bellec
Modified: 2017-11-06 04:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-06 04:33:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Benjamin Bellec 2017-07-26 08:38:09 EDT
Description of problem:
The problem lies is the part "3.4. Discovering and Joining Identity Domains", and sub-part " Joining a Domain".

The example command to join the AD with a specific user is:
# realm join ad.example.com -U 'AD.EXAMPLE.COM\user'

In my case, if I specify explicitly the 'AD.EXAMPLE.COM' domain, it doesn't work.
I have to leave the login alone like this:
# realm join ad.example.com -U 'user'


Version-Release number of selected component (if applicable):
Revision 7.0-31

How reproducible:
Clean CentOS 7.3 installation.
Kerberos not (yet) configured on the client machine trying to join the AD.

Steps to Reproduce:
1. Execute: realm join MYDOMAIN.LOCAL -U 'MYDOMAIN.LOCAL\administrator'
2.
3.

Actual results:
Command output is:
Password for MYDOMAIN.LOCAL\administrator:
See: journalctl REALMD_OPERATION=r9449.17528
realm: Couldn't join realm: Extracting host keytab failed

The "journalctl REALMD_OPERATION=r9449.17528" command says:
juil. 26 12:02:35 samba realmd[17519]:  * Resolving: _ldap._tcp.mydomain.local
juil. 26 12:02:35 samba realmd[17519]:  * Performing LDAP DSE lookup on: 192.168.1.7
juil. 26 12:02:35 samba realmd[17519]:  * Performing LDAP DSE lookup on: 192.168.1.2
juil. 26 12:02:35 samba realmd[17519]:  * Successfully discovered: MYDOMAIN.local
juil. 26 12:02:37 samba realmd[17519]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
juil. 26 12:02:37 samba realmd[17519]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QN4S3Y -U MYDOMAIN\administrator ads join MYDOMAIN.local
juil. 26 12:02:38 samba realmd[17519]: Enter MYDOMAIN\administrator's password:DNS update failed: NT_STATUS_INVALID_PARAMETER
juil. 26 12:02:38 samba realmd[17519]:
juil. 26 12:02:38 samba realmd[17519]: Using short domain name -- MYDOMAIN
juil. 26 12:02:38 samba realmd[17519]: Joined 'SAMBA' to dns domain 'MYDOMAIN.local'
juil. 26 12:02:38 samba realmd[17519]: No DNS domain configured for samba. Unable to perform DNS Update.
juil. 26 12:02:38 samba realmd[17519]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QN4S3Y -U MYDOMAIN\administrator ads keytab create
juil. 26 12:02:38 samba realmd[17519]: Enter MYDOMAIN\administrator's password:kerberos_kinit_password MYDOMAIN\administrator@MYDOMAIN.LOCAL failed: Client not found in Kerberos database
juil. 26 12:02:38 samba realmd[17519]: kerberos_kinit_password MYDOMAIN\administrator@MYDOMAIN.LOCAL failed: Client not found in Kerberos database
juil. 26 12:02:38 samba realmd[17519]:
juil. 26 12:02:38 samba realmd[17519]:  ! Extracting host keytab failed

As you can see, kinit try to use the login "MYDOMAIN\administrator@MYDOMAIN.LOCAL" which is I think is wrong.

After this command end, the client machine is visible in the AD computers list, but the DNS record has not been set.
On the client machine, it look like nothing has been set up (krb5.conf hasn't change, nor smb.conf, nor sssd.conf. And "realm list" output nothing.

I remove the machine on the AD computer list, and re-try with the command:
# realm join MYDOMAIN.LOCAL -U 'administrator'

And this one works perfectly.


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.