Bug 1734764 - Cannot join a pre-staged Computer Account on AD in Custom OU using Delegated user
Summary: Cannot join a pre-staged Computer Account on AD in Custom OU using Delegated ...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: adcli
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.2
Assignee: Sumit Bose
QA Contact: shridhar
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-31 11:38 UTC by amitkuma
Modified: 2020-12-08 19:48 UTC (History)
6 users (show)

Fixed In Version: adcli-0.8.2-8.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Comment 3 amitkuma 2019-10-08 12:25:26 UTC
Any updates here?

Comment 4 Abhijit Roy 2019-11-12 22:16:49 UTC
Any updates here?

Comment 10 Sumit Bose 2020-10-20 12:07:02 UTC
Upstream:
 - https://gitlab.freedesktop.org/realmd/adcli/-/commit/beb7abfacc0010987d2cd8ab70f7c373d309eed9

Additionally there is https://bugzilla.redhat.com/show_bug.cgi?id=1852080 to document required permissions in the adcli man page.

Comment 17 shridhar 2020-12-03 13:30:35 UTC
Tested with 
]# rpm -q adcli
adcli-0.8.2-8.el8.x86_64

:: [ 03:06:07 ] :: [   PASS   ] :: Command 'echo nameserver\ 10.37.152.14 > /etc/resolv.conf' (Expected 0, got 0)
:: [ 03:06:07 ] :: [  BEGIN   ] :: Running 'echo -n weareawesome2012! | LANG=C adcli preset-computer --verbose --stdin-password --domain-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe --domain=ad.baseos.qe ci-vm-10-0-138-.ad.baseos.qe'
 * Using domain name: ad.baseos.qe
 * Calculated computer account name from fqdn: CI-VM-10-0-138-
 * Calculated domain realm from name: AD.BASEOS.QE
 * Discovering domain controllers: _ldap._tcp.ad.baseos.qe
 * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe
 * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-2fidwG/krb5.d/adcli-krb5-conf-HQgTw8
 * Authenticated as user: Administrator@AD.BASEOS.QE
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: AD
 * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238
 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe
 * Using domain name: ad.baseos.qe
 * Using computer account name: CI-VM-10-0-138-
 * Using domain realm: ad.baseos.qe
 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe
 * Calculated computer account name from fqdn: CI-VM-10-0-138-
 * Using default reset computer password
 * A computer account for CI-VM-10-0-138-$ does not exist
 ! Couldn't find a computer container in the ou, creating computer account directly in: OU=delegated-ou,dc=ad,dc=baseos,dc=qe
 * Calculated computer account: CN=CI-VM-10-0-138-,OU=delegated-ou,dc=ad,dc=baseos,dc=qe
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=CI-VM-10-0-138-,OU=delegated-ou,dc=ad,dc=baseos,dc=qe
 * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe
 * Sending NetLogon ping to domain controller: sec-ad1.ad.baseos.qe
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Set computer password
 * Checking RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe
 *    Added RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe
 * Checking RestrictedKrbHost/CI-VM-10-0-138-
 *    Added RestrictedKrbHost/CI-VM-10-0-138-
 * Checking host/ci-vm-10-0-138-.ad.baseos.qe
 *    Added host/ci-vm-10-0-138-.ad.baseos.qe
 * Checking host/CI-VM-10-0-138-
 *    Added host/CI-VM-10-0-138-
computer-name: CI-VM-10-0-138-
:: [ 03:06:13 ] :: [   PASS   ] :: Command 'echo -n weareawesome2012! | LANG=C adcli preset-computer --verbose --stdin-password --domain-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe --domain=ad.baseos.qe ci-vm-10-0-138-.ad.baseos.qe' (Expected 0, got 0)


]# cat new.ldif 
dn: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe
changetype: modify
delete:dNSHostName
-
delete:servicePrincipalName
-


]# ldapmodify -x -h sec-ad1.ad.baseos.qe -f ./new.ldif -D 'Administrator@ad.baseos.qe' -w 'weareawesome2012!'
modifying entry "CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe"


[root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# ldapsearch -x -h sec-ad1.ad.baseos.qe -D 'Administrator@ad.baseos.qe' -b "OU=delegated-ou,dc=ad,dc=baseos,dc=qe" -w "weareawesome2012!" "cn=CI-VM-10-0-138-" >lds
[root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# cat lds 
# extended LDIF
#
# LDAPv3
# base <OU=delegated-ou,dc=ad,dc=baseos,dc=qe> with scope subtree
# filter: cn=CI-VM-10-0-138-
# requesting: ALL
#

# CI-VM-10-0-138-, delegated-OU, ad.baseos.qe
dn: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: CI-VM-10-0-138-
distinguishedName: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe
instanceType: 4
whenCreated: 20201203080611.0Z
whenChanged: 20201203125608.0Z
uSNCreated: 1041257
uSNChanged: 1041314
name: CI-VM-10-0-138-
objectGUID:: ORIE/Zj8cUuoCKOgwo+0rA==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 132514563730510065
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAYSJ+6SWSKv/WObRhGIUAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: CI-VM-10-0-138-$
sAMAccountType: 805306369
operatingSystem: redhat-linux-gnu
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=baseos,DC=qe
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
msDS-SupportedEncryptionTypes: 24

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# egrep -ir 'servicePrincipalName' lds 
[root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# 

[root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# egrep -ir 'dNSHostName' lds 

[root@ci-vm-10-0-138- tmp.gJzcmvqIz6]# realm join ad.baseos.qe --verbose --user=amitk1@AD.BASEOS.QE --computer-ou=OU=delegated-ou,dc=ad,dc=baseos,dc=qe
 * Resolving: _ldap._tcp.ad.baseos.qe
 * Performing LDAP DSE lookup on: 10.37.152.14
 * Performing LDAP DSE lookup on: 2620:52:0:2598:216:3eff:fe00:1c1
 * Successfully discovered: ad.baseos.qe
Password for amitk1@AD.BASEOS.QE: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.37.152.14 --computer-ou OU=delegated-ou,dc=ad,dc=baseos,dc=qe --login-type user --login-user amitk1@AD.BASEOS.QE --stdin-password
 * Using domain name: ad.baseos.qe
 * Calculated computer account name from fqdn: CI-VM-10-0-138-
 * Using domain realm: ad.baseos.qe
 * Sending NetLogon ping to domain controller: 10.37.152.14
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-OIENGM/krb5.d/adcli-krb5-conf-yYI2I5
 * Authenticated as user: amitk1@AD.BASEOS.QE
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: AD
 * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238
 * Using fully qualified name: ci-vm-10-0-138-.ad.baseos.qe
 * Using domain name: ad.baseos.qe
 * Using computer account name: CI-VM-10-0-138-
 * Using domain realm: ad.baseos.qe
 * Calculated computer account name from fqdn: CI-VM-10-0-138-
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for CI-VM-10-0-138-$ at: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe
 * Sending NetLogon ping to domain controller: 10.37.152.14
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Set computer password
 * Retrieved kvno '3' for computer account in directory: CN=CI-VM-10-0-138-,OU=delegated-OU,DC=ad,DC=baseos,DC=qe
 * Modifying computer account: dNSHostName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: CI-VM-10-0-138-$@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/CI-VM-10-0-138-@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ci-vm-10-0-138-.ad.baseos.qe@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/CI-VM-10-0-138-@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ci-vm-10-0-138-.ad.baseos.qe@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2020-12-03-13-03-33.3QxbdT
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm


Marking verified.


Note You need to log in before you can comment on or make changes to this bug.