1762420 – adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd

Bug 1762420 - adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd

Summary: adcli should be able to Force LDAPS over 636 with AD Access Provider w.r.t sssd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	adcli
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:	1786776
TreeView+	depends on / blocked

Reported:	2019-10-16 17:11 UTC by Hemant B Khot
Modified:	2023-05-06 10:30 UTC (History)
CC List:	15 users (show)
Fixed In Version:	adcli-0.8.2-5.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1786776 (view as bug list)
Environment:
Last Closed:	2020-04-28 16:58:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-31300	None	None	None	2023-05-06 10:30:20 UTC
Red Hat Issue Tracker	SSSD-1880	None	None	None	2023-05-06 10:30:53 UTC
Red Hat Product Errata	RHBA-2020:1874	None	None	None	2020-04-28 16:58:29 UTC

Comment 5 Sumit Bose 2019-12-20 10:25:50 UTC

Master:
 - https://gitlab.freedesktop.org/realmd/adcli/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd
 - https://gitlab.freedesktop.org/realmd/adcli/commit/85097245b57f190337225dbdbf6e33b58616c092

Comment 6 shridhar 2019-12-20 11:33:36 UTC

qa_ack+

Comment 8 shridhar 2020-02-17 11:02:36 UTC

Tested with following inputs:

Upgraded:
  adcli-0.8.2-5.el8.x86_64                                                                                            

Complete!

[root@ipaqavma ~]# iptables -A OUTPUT -p tcp  --destination-port 389 -j DROP

---------------------------------------------------
Without --use-ldaps option:
---------------------------------------------------
[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Discovering domain controllers: _ldap._tcp.sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.161
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: titan.sssd2016.com
 ! Couldn't connect to host: titan.sssd2016.com: Connection timed out
 ! Couldn't connect to host: mars.sssd2016.com: Connection timed out
adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: mars.sssd2016.com: Connection timed out
[root@ipaqavma ~]# man adcli
---------------------------------------------------
[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 ! Couldn't connect to host: 10.65.207.18: Connection timed out
adcli: couldn't connect to sssd2016.com domain: Couldn't connect to host: 10.65.207.18: Connection timed out

---------------------------------------------------
With --use-ldaps option
---------------------------------------------------

[root@ipaqavma ~]# adcli join --verbose -U Administrator --domain sssd2016.com --domain-realm SSSD2016.COM -S 10.65.207.18 --use-ldaps
 * Using domain name: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 * Using LDAPS to connect to 10.65.207.18
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-UZ6E2i/krb5.d/adcli-krb5-conf-BozhGZ
Password for Administrator: 
 * Authenticated as user: Administrator
 * Using GSSAPI for SASL bind
 * Looked up short domain name: SSSD2016
 * Looked up domain SID: S-1-5-21-3474374533-2609541057-665406313
 * Using fully qualified name: ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Using domain name: sssd2016.com
 * Using computer account name: IPAQAVMA
 * Using domain realm: sssd2016.com
 * Calculated computer account name from fqdn: IPAQAVMA
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for IPAQAVMA$ does not exist
 * Found well known computer container at: CN=Computers,DC=sssd2016,DC=com
 * Calculated computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Sending netlogon pings to domain controller: cldap://10.65.207.18
 * Received NetLogon info from: mars.sssd2016.com
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=IPAQAVMA,CN=Computers,DC=sssd2016,DC=com
 * Checking RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com
 *    Added RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Checking RestrictedKrbHost/IPAQAVMA
 *    Added RestrictedKrbHost/IPAQAVMA
 * Checking host/ipaqavma.idmqe.lab.eng.bos.redhat.com
 *    Added host/ipaqavma.idmqe.lab.eng.bos.redhat.com
 * Checking host/IPAQAVMA
 *    Added host/IPAQAVMA
 * Discovered which keytab salt to use
 * Added the entries to the keytab: IPAQAVMA$@SSSD2016.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/IPAQAVMA: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ipaqavma.idmqe.lab.eng.bos.redhat.com: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/IPAQAVMA: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ipaqavma.idmqe.lab.eng.bos.redhat.com: FILE:/etc/krb5.keytab
[root@ipaqavma ~]# echo $?
0
[root@ipaqavma ~]# 

Marking verified

Comment 10 errata-xmlrpc 2020-04-28 16:58:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1874

Note You need to log in before you can comment on or make changes to this bug.