Bug 1762420 - adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd
Summary: adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: adcli
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Sumit Bose
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 1786776
TreeView+ depends on / blocked
 
Reported: 2019-10-16 17:11 UTC by Hemant B Khot
Modified: 2020-04-28 16:58 UTC (History)
15 users (show)

Fixed In Version: adcli-0.8.2-5.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1786776 (view as bug list)
Environment:
Last Closed: 2020-04-28 16:58:21 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1874 None None None 2020-04-28 16:58:29 UTC

Comment 6 shridhar 2019-12-20 11:33:36 UTC
qa_ack+

Comment 8 shridhar 2020-02-17 11:02:36 UTC
Tested with following inputs:

Upgraded:
  adcli-0.8.2-5.el8.x86_64                                                                                            

Complete!

[root@ipaqavma ~]# iptables -A OUTPUT -p tcp  --destination-port 389 -j DROP

---------------------------------------------------
Without --use-ldaps option:
---------------------------------------------------
[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Discovering domain controllers: _ldap._tcp.sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.161
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: titan.sssd2016.com
 ! Couldn't connect to host: titan.sssd2016.com: Connection timed out
 ! Couldn't connect to host: mars.sssd2016.com: Connection timed out
adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: mars.sssd2016.com: Connection timed out
[root@ipaqavma ~]# man adcli
---------------------------------------------------
[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 ! Couldn't connect to host: 10.65.207.18: Connection timed out
adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: 10.65.207.18: Connection timed out

---------------------------------------------------
With --use-ldaps option
---------------------------------------------------

[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18 --use-ldaps
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 * Using LDAPS to connect to 10.65.207.18
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-UZ6E2i/krb5.d/adcli-krb5-conf-BozhGZ
Password for Administrator@SSSD2016.COM: 
 * Authenticated as user: Administrator@SSSD2016.COM
 * Using GSSAPI for SASL bind
 * Looked up short domain name: SSSD2016
 * Looked up domain SID: S-1-5-21-3474374533-2609541057-665406313
 * Using fully qualified name: ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Using domain name: sssd2016.com
 * Using computer account name: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for IPAQAVMA$ does not exist
 * Found well known computer container at: CN=Computers,DC=sssd2016,DC=com
 * Calculated computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Checking RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com
 *    Added RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Checking RestrictedKrbHost/IPAQAVMA
 *    Added RestrictedKrbHost/IPAQAVMA
 * Checking host/ipaqavma.idmqe.lab.eng.bos.redhat.com
 *    Added host/ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Checking host/IPAQAVMA
 *    Added host/IPAQAVMA
 * Discovered which keytab salt to use
 * Added the entries to the keytab: IPAQAVMA$@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/IPAQAVMA@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ipaqavma.idmqe.lab.eng.bos.redhat.com@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/IPAQAVMA@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com@SSSD2016.COM: FILE:/etc/krb5.keytab
[root@ipaqavma ~]# echo $?
0
[root@ipaqavma ~]# 

Marking verified

Comment 10 errata-xmlrpc 2020-04-28 16:58:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1874


Note You need to log in before you can comment on or make changes to this bug.