Hide Forgot
Any updates here?
Upstream: - https://gitlab.freedesktop.org/realmd/adcli/-/commit/beb7abfacc0010987d2cd8ab70f7c373d309eed9 Additionally there is https://bugzilla.redhat.com/show_bug.cgi?id=1852080 to document required permissions in the adcli man page.
Tested with ]# rpm -q adcli adcli-0.8.2-8.el8.x86_64 :: [ 03:06:07 ] :: [ PASS ] :: Command 'echo nameserver\ 10.37.152.14 > /etc/resolv.conf' (Expected 0, got 0) :: [ 03:06:07 ] :: [ BEGIN ] :: Running 'echo -n weareawesome2012! | LANG=C adcli preset-computer --verbose --stdin-password --domain-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe --domain=ad.baseos.qe ci-vm-10-0-138-.ad.baseos.qe' * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Calculated domain realm from name: AD.BASEOS.QE * Discovering domain controllers: _ldap._tcp.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /tmp/adcli-krb5-2fidwG/krb5.d/adcli-krb5-conf-HQgTw8 * Authenticated as user: Administrator@AD.BASEOS.QE * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-138- * Using domain realm: ad.baseos.qe * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Using default reset computer password * A computer account for CI-VM-10-0-138-$ does not exist ! Couldn't find a computer container in the ou, creating computer account directly in: OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Calculated computer account: CN=CI-VM-10-0-138-,OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Encryption type [16] not permitted. * Encryption type [23] not permitted. * Encryption type [3] not permitted. * Encryption type [1] not permitted. * Created computer account: CN=CI-VM-10-0-138-,OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe * Received NetLogon info from: sec-ad1.ad.baseos.qe * Set computer password * Checking RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe * Added RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe * Checking RestrictedKrbHost/CI-VM-10-0-138- * Added RestrictedKrbHost/CI-VM-10-0-138- * Checking host/ci-vm-10-0-138-.ad.baseos.qe * Added host/ci-vm-10-0-138-.ad.baseos.qe * Checking host/CI-VM-10-0-138- * Added host/CI-VM-10-0-138- computer-name: CI-VM-10-0-138- :: [ 03:06:13 ] :: [ PASS ] :: Command 'echo -n weareawesome2012! | LANG=C adcli preset-computer --verbose --stdin-password --domain-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe --domain=ad.baseos.qe ci-vm-10-0-138-.ad.baseos.qe' (Expected 0, got 0) ]# cat new.ldif dn: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe changetype: modify delete:dNSHostName - delete:servicePrincipalName - ]# ldapmodify -x -h sec-ad1.ad.baseos.qe -f ./new.ldif -D 'Administrator@ad.baseos.qe' -w 'weareawesome2012!' modifying entry "CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe" [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# ldapsearch -x -h sec-ad1.ad.baseos.qe -D 'Administrator@ad.baseos.qe' -b "OU=delegated-ou,dc=ad,dc=baseos,dc=qe" -w "weareawesome2012!" "cn=CI-VM-10-0-138-" >lds [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# cat lds # extended LDIF # # LDAPv3 # base <OU=delegated-ou,dc=ad,dc=baseos,dc=qe> with scope subtree # filter: cn=CI-VM-10-0-138- # requesting: ALL # # CI-VM-10-0-138-, delegated-OU, ad.baseos.qe dn: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: CI-VM-10-0-138- distinguishedName: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe instanceType: 4 whenCreated: 20201203080611.0Z whenChanged: 20201203125608.0Z uSNCreated: 1041257 uSNChanged: 1041314 name: CI-VM-10-0-138- objectGUID:: ORIE/Zj8cUuoCKOgwo+0rA== userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 localPolicyFlags: 0 pwdLastSet: 132514563730510065 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAYSJ+6SWSKv/WObRhGIUAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: CI-VM-10-0-138-$ sAMAccountType: 805306369 operatingSystem: redhat-linux-gnu objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=baseos,DC=qe isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z msDS-SupportedEncryptionTypes: 24 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# egrep -ir 'servicePrincipalName' lds [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# egrep -ir 'dNSHostName' lds [root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# realm join ad.baseos.qe --verbose --user=amitk1@AD.BASEOS.QE --computer-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe * Resolving: _ldap._tcp.ad.baseos.qe * Performing LDAP DSE lookup on: 10.37.152.14 * Performing LDAP DSE lookup on: 2620:52:0:2598:216:3eff:fe00:1c1 * Successfully discovered: ad.baseos.qe Password for amitk1@AD.BASEOS.QE: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.37.152.14 --computer-ou OU=delegated-ou,dc=ad,dc=baseos,dc=qe --login-type user --login-user amitk1@AD.BASEOS.QE --stdin-password * Using domain name: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Using domain realm: ad.baseos.qe * Sending NetLogon ping to domain controller: 10.37.152.14 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-OIENGM/krb5.d/adcli-krb5-conf-yYI2I5 * Authenticated as user: amitk1@AD.BASEOS.QE * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe * Using domain name: ad.baseos.qe * Using computer account name: CI-VM-10-0-138- * Using domain realm: ad.baseos.qe * Calculated computer account name from fqdn: CI-VM-10-0-138- * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for CI-VM-10-0-138-$ at: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe * Sending NetLogon ping to domain controller: 10.37.152.14 * Received NetLogon info from: sec-ad1.ad.baseos.qe * Set computer password * Retrieved kvno '3' for computer account in directory: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe * Modifying computer account: dNSHostName * Discovered which keytab salt to use * Added the entries to the keytab: CI-VM-10-0-138-$@AD.BASEOS.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/CI-VM-10-0-138-@AD.BASEOS.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/ci-vm-10-0-138-.ad.baseos.qe@AD.BASEOS.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/CI-VM-10-0-138-@AD.BASEOS.QE: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe@AD.BASEOS.QE: FILE:/etc/krb5.keytab ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Backup stored at /var/lib/authselect/backups/2020-12-03-13-03-33.3QxbdT Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled and active - systemctl enable --now oddjobd.service Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service. * Successfully enrolled machine in realm Marking verified.