2149664 – adcli testjoin does not detect domain name correctly

Bug 2149664 - adcli testjoin does not detect domain name correctly

Summary: adcli testjoin does not detect domain name correctly

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	adcli
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-30 14:28 UTC by Ondrej
Modified:	2023-07-31 22:37 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-140942	0	None	None	None	2022-11-30 15:03:19 UTC
Red Hat Issue Tracker	SSSD-5238	0	None	None	None	2022-12-01 15:01:10 UTC

Description Ondrej 2022-11-30 14:28:28 UTC

Description of problem:

After successful joining to domain:
adcli join ... adwin.renesas.com

I receive this Kerberos keytab:

[root@slsrvadm-02v ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 slsrvadm-02v2$@ADWIN.RENESAS.COM
   2 host/slsrvadm-02v2.COM
   2 slsrvadm-02v2$@ADWIN.RENESAS.COM
   2 host/slsrvadm-02v2.COM
   2 host/slsrvadm-02v.diasemi.com.COM
   2 RestrictedKrbHost/slsrvadm-02v2.COM
   2 host/slsrvadm-02v.diasemi.com.COM
   2 RestrictedKrbHost/slsrvadm-02v2.COM
   2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
   2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM

... however 'adcli testjoin' complains about 'diasemi.com' domain which I did not join:

[root@slsrvadm-02v ~]# adcli testjoin
adcli: couldn't connect to diasemi.com domain: Couldn't get kerberos ticket for machine account: slsrvadm-02v2: Realm not local to KDC
Please check
    https://red.ht/support_rhel_ad 
to get help for common issues.

and as per the man page, I can't supply domain name to adcli testjoin

Comment 1 Ondrej 2022-11-30 14:40:16 UTC

...but apparently it does support '--domain' parameter.
Hence I suggest updating man page here.

Comment 2 Sumit Bose 2023-06-19 10:54:33 UTC

Hi,

thanks for the report and sorry for the delay. When I was reading your description I thought that the reason is obvious and adcli is using the DNS domain name as realm and not the realm found in the keytab. But when I now try to reproduce it, it is working as expected. Can you try to reproduce the issue without using the '--domain' option and send the verbose output with the '-v' option?. In my tests the first message is always ' * Found realm in keytab: MY.REALM.COM' and this realm is used for the following operations.

bye,
Sumit

Comment 3 Ondrej 2023-06-21 09:34:52 UTC

Hi, see below:

[root@slsrvadm-02v mmanow]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 SLSRVADM-02V$@ADWIN.RENESAS.COM
   2 SLSRVADM-02V$@ADWIN.RENESAS.COM
   2 SLSRVADM-02V$@ADWIN.RENESAS.COM
   2 host/SLSRVADM-02V.COM
   2 host/SLSRVADM-02V.COM
   2 host/SLSRVADM-02V.COM
   2 host/slsrvadm-02v.diasemi.com.COM
   2 host/slsrvadm-02v.diasemi.com.COM
   2 host/slsrvadm-02v.diasemi.com.COM
   2 RestrictedKrbHost/SLSRVADM-02V.COM
   2 RestrictedKrbHost/SLSRVADM-02V.COM
   2 RestrictedKrbHost/SLSRVADM-02V.COM
   2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
   2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
   2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
   3 SLSRVADM-02V$@ADWIN.RENESAS.COM
   3 SLSRVADM-02V$@ADWIN.RENESAS.COM
   3 SLSRVADM-02V$@ADWIN.RENESAS.COM
   3 host/SLSRVADM-02V.COM
   3 host/SLSRVADM-02V.COM
   3 host/SLSRVADM-02V.COM
   3 host/slsrvadm-02v.diasemi.com.COM
   3 host/slsrvadm-02v.diasemi.com.COM
   3 host/slsrvadm-02v.diasemi.com.COM
   3 RestrictedKrbHost/SLSRVADM-02V.COM
   3 RestrictedKrbHost/SLSRVADM-02V.COM
   3 RestrictedKrbHost/SLSRVADM-02V.COM
   3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
   3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
   3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
[root@slsrvadm-02v mmanow]# kinit -k SLSRVADM-02V$
[root@slsrvadm-02v mmanow]# adcli testjoin -v
 * Found realm in keytab: ADWIN.RENESAS.COM
 * Found computer name in keytab: SLSRVADM-02V
 * Found service principal in keytab: host/SLSRVADM-02V
 * Found service principal in keytab: host/slsrvadm-02v.diasemi.com
 * Found host qualified name in keytab: slsrvadm-02v.diasemi.com
 * Found service principal in keytab: RestrictedKrbHost/SLSRVADM-02V
 * Found service principal in keytab: RestrictedKrbHost/slsrvadm-02v.diasemi.com
 * Calculated domain name from host fqdn: diasemi.com
 * Using computer account name: SLSRVADM-02V
 * Using domain realm: diasemi.com
 * Discovering domain controllers: _ldap._tcp.diasemi.com
 * Sending NetLogon ping to domain controller: casrvdc-03v.diasemi.com
 * Received NetLogon info from: CASRVDC-03v.diasemi.com
 * Discovering site domain controllers: _ldap._tcp.SLOUGH._sites.dc._msdcs.diasemi.com
 * Sending NetLogon ping to domain controller: slsrvdc-01.diasemi.com
 * Received NetLogon info from: slsrvdc-01.diasemi.com
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-WrUuFQ/krb5.d/adcli-krb5-conf-KUt49G
 ! Couldn't get kerberos ticket for machine account: SLSRVADM-02V: Realm not local to KDC
adcli: couldn't connect to diasemi.com domain: Couldn't get kerberos ticket for machine account: SLSRVADM-02V: Realm not local to KDC
Please check
    https://red.ht/support_rhel_ad 
to get help for common issues.

Note You need to log in before you can comment on or make changes to this bug.