Bug 2149664
| Summary: | adcli testjoin does not detect domain name correctly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ondrej <ondrej.valousek.xm> |
| Component: | adcli | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED MIGRATED | QA Contact: | sssd-qe |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.1 | CC: | aboscatt, atikhono |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-19 13:24:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
...but apparently it does support '--domain' parameter. Hence I suggest updating man page here. Hi, thanks for the report and sorry for the delay. When I was reading your description I thought that the reason is obvious and adcli is using the DNS domain name as realm and not the realm found in the keytab. But when I now try to reproduce it, it is working as expected. Can you try to reproduce the issue without using the '--domain' option and send the verbose output with the '-v' option?. In my tests the first message is always ' * Found realm in keytab: MY.REALM.COM' and this realm is used for the following operations. bye, Sumit Hi, see below:
[root@slsrvadm-02v mmanow]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 SLSRVADM-02V$@ADWIN.RENESAS.COM
2 SLSRVADM-02V$@ADWIN.RENESAS.COM
2 SLSRVADM-02V$@ADWIN.RENESAS.COM
2 host/SLSRVADM-02V.COM
2 host/SLSRVADM-02V.COM
2 host/SLSRVADM-02V.COM
2 host/slsrvadm-02v.diasemi.com.COM
2 host/slsrvadm-02v.diasemi.com.COM
2 host/slsrvadm-02v.diasemi.com.COM
2 RestrictedKrbHost/SLSRVADM-02V.COM
2 RestrictedKrbHost/SLSRVADM-02V.COM
2 RestrictedKrbHost/SLSRVADM-02V.COM
2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
3 SLSRVADM-02V$@ADWIN.RENESAS.COM
3 SLSRVADM-02V$@ADWIN.RENESAS.COM
3 SLSRVADM-02V$@ADWIN.RENESAS.COM
3 host/SLSRVADM-02V.COM
3 host/SLSRVADM-02V.COM
3 host/SLSRVADM-02V.COM
3 host/slsrvadm-02v.diasemi.com.COM
3 host/slsrvadm-02v.diasemi.com.COM
3 host/slsrvadm-02v.diasemi.com.COM
3 RestrictedKrbHost/SLSRVADM-02V.COM
3 RestrictedKrbHost/SLSRVADM-02V.COM
3 RestrictedKrbHost/SLSRVADM-02V.COM
3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
3 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM
[root@slsrvadm-02v mmanow]# kinit -k SLSRVADM-02V$
[root@slsrvadm-02v mmanow]# adcli testjoin -v
* Found realm in keytab: ADWIN.RENESAS.COM
* Found computer name in keytab: SLSRVADM-02V
* Found service principal in keytab: host/SLSRVADM-02V
* Found service principal in keytab: host/slsrvadm-02v.diasemi.com
* Found host qualified name in keytab: slsrvadm-02v.diasemi.com
* Found service principal in keytab: RestrictedKrbHost/SLSRVADM-02V
* Found service principal in keytab: RestrictedKrbHost/slsrvadm-02v.diasemi.com
* Calculated domain name from host fqdn: diasemi.com
* Using computer account name: SLSRVADM-02V
* Using domain realm: diasemi.com
* Discovering domain controllers: _ldap._tcp.diasemi.com
* Sending NetLogon ping to domain controller: casrvdc-03v.diasemi.com
* Received NetLogon info from: CASRVDC-03v.diasemi.com
* Discovering site domain controllers: _ldap._tcp.SLOUGH._sites.dc._msdcs.diasemi.com
* Sending NetLogon ping to domain controller: slsrvdc-01.diasemi.com
* Received NetLogon info from: slsrvdc-01.diasemi.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-WrUuFQ/krb5.d/adcli-krb5-conf-KUt49G
! Couldn't get kerberos ticket for machine account: SLSRVADM-02V: Realm not local to KDC
adcli: couldn't connect to diasemi.com domain: Couldn't get kerberos ticket for machine account: SLSRVADM-02V: Realm not local to KDC
Please check
https://red.ht/support_rhel_ad
to get help for common issues.
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: After successful joining to domain: adcli join ... adwin.renesas.com I receive this Kerberos keytab: [root@slsrvadm-02v ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 slsrvadm-02v2$@ADWIN.RENESAS.COM 2 host/slsrvadm-02v2.COM 2 slsrvadm-02v2$@ADWIN.RENESAS.COM 2 host/slsrvadm-02v2.COM 2 host/slsrvadm-02v.diasemi.com.COM 2 RestrictedKrbHost/slsrvadm-02v2.COM 2 host/slsrvadm-02v.diasemi.com.COM 2 RestrictedKrbHost/slsrvadm-02v2.COM 2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM 2 RestrictedKrbHost/slsrvadm-02v.diasemi.com.COM ... however 'adcli testjoin' complains about 'diasemi.com' domain which I did not join: [root@slsrvadm-02v ~]# adcli testjoin adcli: couldn't connect to diasemi.com domain: Couldn't get kerberos ticket for machine account: slsrvadm-02v2: Realm not local to KDC Please check https://red.ht/support_rhel_ad to get help for common issues. and as per the man page, I can't supply domain name to adcli testjoin