Description of problem: Joining an AD domain with realmd in Fedora 34 fails. I have a test AD domain (served by a samba container, but that's not really relevant): # realm discover cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools Joining it directly with adcli works: adcli join --verbose --domain cockpit.lan --domain-realm COCKPIT.LAN --domain-controller 10.111.112.100 --login-type user --login-user Administrator But joining it with realmd now fails: # realm join -vU Administrator cockpit.lan# works without an /etc/realmd.conf * Resolving: _ldap._tcp.cockpit.lan * Performing LDAP DSE lookup on: 10.111.112.100 * Successfully discovered: cockpit.lan Password for Administrator: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain cockpit.lan --domain-realm COCKPIT.LAN --domain-controller 10.111.112.100 --login-type user --login-user Administrator --stdin-password * Using domain name: cockpit.lan * Calculated computer account name from fqdn: X0 * Using domain realm: cockpit.lan * Sending NetLogon ping to domain controller: 10.111.112.100 * Received NetLogon info from: f0.cockpit.lan * Wrote out krb5.conf snippet to /tmp/adcli-krb5-MU4p5T/krb5.d/adcli-krb5-conf-S7ouTu * Authenticated as user: Administrator * Using GSS-SPNEGO for SASL bind * Looked up short domain name: COCKPIT * Looked up domain SID: S-1-5-21-2893514108-2920310561-1624625319 * Using fully qualified name: x0.cockpit.lan * Using domain name: cockpit.lan * Using computer account name: X0 * Using domain realm: cockpit.lan * Calculated computer account name from fqdn: X0 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * A computer account for X0$ does not exist * Found well known computer container at: CN=Computers,DC=cockpit,DC=lan * Calculated computer account: CN=X0,CN=Computers,DC=cockpit,DC=lan * Encryption type [16] not permitted. * Encryption type [23] not permitted. * Encryption type [3] not permitted. * Encryption type [1] not permitted. * Created computer account: CN=X0,CN=Computers,DC=cockpit,DC=lan * Sending NetLogon ping to domain controller: 10.111.112.100 * Received NetLogon info from: f0.cockpit.lan * Set computer password * Retrieved kvno '1' for computer account in directory: CN=X0,CN=Computers,DC=cockpit,DC=lan * Checking host/X0 * Added host/X0 * Checking host/x0.cockpit.lan * Added host/x0.cockpit.lan * Checking RestrictedKrbHost/X0 * Added RestrictedKrbHost/X0 * Checking RestrictedKrbHost/x0.cockpit.lan * Added RestrictedKrbHost/x0.cockpit.lan * Discovered which keytab salt to use * Added the entries to the keytab: X0$@COCKPIT.LAN: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/X0: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/x0.cockpit.lan: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/X0: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/x0.cockpit.lan: FILE:/etc/krb5.keytab ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service /usr/bin/sh: line 1: /usr/sbin/authconfig: No such file or directory ! Enabling SSSD in nsswitch.conf and PAM failed. realm: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed. Indeed there is no authconfig, it was replaced with authselect years ago (https://fedoraproject.org/wiki/Changes/Authselect). In Fedora 33 with realmd-0.16.3-25.fc33.x86_64 it uses authselect as intended: # rpm -ql realmd|xargs grep authselect /usr/lib/realmd/realmd-distro.conf:winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" /usr/lib/realmd/realmd-distro.conf:winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir /usr/lib/realmd/realmd-distro.conf:sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" /usr/lib/realmd/realmd-distro.conf:sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir But in Fedora 34 with realmd-0.17.0-2.fc34.x86_64 it reverted to authconfig: # rpm -ql realmd|xargs grep authselect /usr/lib/realmd/realmd-distro.conf:winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" /usr/lib/realmd/realmd-distro.conf:winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart /usr/lib/realmd/realmd-distro.conf:sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" /usr/lib/realmd/realmd-distro.conf:sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart Version-Release number of selected component (if applicable): realmd-0.17.0-2.fc34.x86_64 adcli-0.9.1-2.fc34.x86_64 authselect-1.2.2-2.fc34.x86_64 sssd-2.4.2-2.fc34.x86_64 How reproducible: Always
Hi, bummer, the authselect patch was downstream only and got lost. Can you try if the scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=62946098 works for you? bye, Sumit
Sumit, thanks for the quick fix! I tested this package against all our realm/AD tests, and it's working perfectly again 👍
FEDORA-2021-750346511c has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-9b44822a60 has been pushed to the Fedora ELN stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-c77afd19c8 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c77afd19c8
FEDORA-2021-c77afd19c8 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c77afd19c8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c77afd19c8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This seems like a clear Beta blocker. It violates "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain" - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication .
+5 votes in https://pagure.io/fedora-qa/blocker-review/issue/313 , marking accepted.
FEDORA-2021-c77afd19c8 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.