1475322 – Suggested realm command to join AD with a specific user doesn't work

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1475322 - Suggested realm command to join AD with a specific user doesn't work

Summary: Suggested realm command to join AD with a specific user doesn't work

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Windows_Integration_Guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Filip Hanzelka
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-26 12:38 UTC by Benjamin Bellec
Modified:	2019-03-06 02:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-06 09:33:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Benjamin Bellec 2017-07-26 12:38:09 UTC

Description of problem:
The problem lies is the part "3.4. Discovering and Joining Identity Domains", and sub-part " Joining a Domain".

The example command to join the AD with a specific user is:
# realm join ad.example.com -U 'AD.EXAMPLE.COM\user'

In my case, if I specify explicitly the 'AD.EXAMPLE.COM' domain, it doesn't work.
I have to leave the login alone like this:
# realm join ad.example.com -U 'user'


Version-Release number of selected component (if applicable):
Revision 7.0-31

How reproducible:
Clean CentOS 7.3 installation.
Kerberos not (yet) configured on the client machine trying to join the AD.

Steps to Reproduce:
1. Execute: realm join MYDOMAIN.LOCAL -U 'MYDOMAIN.LOCAL\administrator'
2.
3.

Actual results:
Command output is:
Password for MYDOMAIN.LOCAL\administrator:
See: journalctl REALMD_OPERATION=r9449.17528
realm: Couldn't join realm: Extracting host keytab failed

The "journalctl REALMD_OPERATION=r9449.17528" command says:
juil. 26 12:02:35 samba realmd[17519]:  * Resolving: _ldap._tcp.mydomain.local
juil. 26 12:02:35 samba realmd[17519]:  * Performing LDAP DSE lookup on: 192.168.1.7
juil. 26 12:02:35 samba realmd[17519]:  * Performing LDAP DSE lookup on: 192.168.1.2
juil. 26 12:02:35 samba realmd[17519]:  * Successfully discovered: MYDOMAIN.local
juil. 26 12:02:37 samba realmd[17519]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
juil. 26 12:02:37 samba realmd[17519]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QN4S3Y -U MYDOMAIN\administrator ads join MYDOMAIN.local
juil. 26 12:02:38 samba realmd[17519]: Enter MYDOMAIN\administrator's password:DNS update failed: NT_STATUS_INVALID_PARAMETER
juil. 26 12:02:38 samba realmd[17519]:
juil. 26 12:02:38 samba realmd[17519]: Using short domain name -- MYDOMAIN
juil. 26 12:02:38 samba realmd[17519]: Joined 'SAMBA' to dns domain 'MYDOMAIN.local'
juil. 26 12:02:38 samba realmd[17519]: No DNS domain configured for samba. Unable to perform DNS Update.
juil. 26 12:02:38 samba realmd[17519]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.QN4S3Y -U MYDOMAIN\administrator ads keytab create
juil. 26 12:02:38 samba realmd[17519]: Enter MYDOMAIN\administrator's password:kerberos_kinit_password MYDOMAIN\administrator failed: Client not found in Kerberos database
juil. 26 12:02:38 samba realmd[17519]: kerberos_kinit_password MYDOMAIN\administrator failed: Client not found in Kerberos database
juil. 26 12:02:38 samba realmd[17519]:
juil. 26 12:02:38 samba realmd[17519]:  ! Extracting host keytab failed

As you can see, kinit try to use the login "MYDOMAIN\administrator" which is I think is wrong.

After this command end, the client machine is visible in the AD computers list, but the DNS record has not been set.
On the client machine, it look like nothing has been set up (krb5.conf hasn't change, nor smb.conf, nor sssd.conf. And "realm list" output nothing.

I remove the machine on the AD computer list, and re-try with the command:
# realm join MYDOMAIN.LOCAL -U 'administrator'

And this one works perfectly.


Expected results:


Additional info:

Comment 5 Aneta Šteflová Petrová 2017-11-06 09:33:16 UTC

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/

Note You need to log in before you can comment on or make changes to this bug.