Bug 961550 - "adcli join" failing with same output under various circumstances
"adcli join" failing with same output under various circumstances
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: realmd (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stef Walter
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-09 18:36 EDT by yelley
Modified: 2014-09-14 20:08 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-24 06:45:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
coredump (44.73 MB, application/octet-stream)
2013-05-13 09:58 EDT, yelley
no flags Details
core_backtrace (677 bytes, application/octet-stream)
2013-05-13 10:00 EDT, yelley
no flags Details
var_log_messages (9.97 KB, application/octet-stream)
2013-05-13 10:01 EDT, yelley
no flags Details

  None (edit)
Description yelley 2013-05-09 18:36:53 EDT
Description of problem:
Unable to join machine to AD when manually specifying domain server and specifying "--client-software=sssd" (or using the default by not specifying "--client-software" at all). Note that if the "--client-software=winbind" option is used, then this problem is not seen.

Note that this problem was also reproduced in a permissive selinux environment (i.e. setenforce 0). Also note that I definitely entered the correct password, as I did it very slowly and multiple times, so the "preauthentication failed" error message is not accurate.

Version-Release number of selected component (if applicable):
realmd-0.14.0-1
sssd-1.10.0-4

Steps to Reproduce:
$ realm -v join --user=Administrator adserver.foo.com
 * Resolving: _ldap._tcp.dc._msdcs.adserver.foo.com
 * Resolving: _ldap._tcp.adserver.foo.com
 * Resolving: adserver.foo.com
 * Sending MS-CLDAP ping to: 10.16.189.20
 * Performing LDAP DSE lookup on: 10.16.189.20
 * Successfully discovered: foo.com
Password for Administrator:
 * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain foo.com --domain-realm FOO.COM --domain-controller adserver.foo.com --login-type user --login-
user Administrator --stdin-password
 * Using domain name: foo.com
 * Calculated computer account name from fqdn: F19-CLIENT
 * Using domain realm: foo.com
 * Sending cldap pings to domain controller: adserver.foo.com
 * Received NetLogon info from: ADSERVER.foo.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-xkqkXp/krb5.d/adcli-krb5-conf-WVWGBB
 ! Couldn't authenticate as: Administrator@FOO.COM: Preauthentication failed
adcli: couldn't connect to foo.com domain: Couldn't authenticate as: Administrator@FOO.COM: Preauthentication failed
 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain

Intermittently, I got the following output when I run the command:
$ realm -v join --user=Administrator adserver.foo.com
 * Resolving: _ldap._tcp.dc._msdcs.adserver.foo.com
 * Resolving: _ldap._tcp.adserver.foo.com
 * Resolving: adserver.foo.com
 * Sending MS-CLDAP ping to: 10.16.189.20
 * Performing LDAP DSE lookup on: 10.16.189.20
 * Successfully discovered: foo.com
Password for Administrator:
 * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain foo.com --domain-realm FOO.COM --domain-controller adserver.foo.com --login-type user --login-
user Administrator --stdin-password
realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
Comment 1 yelley 2013-05-09 19:22:47 EDT
I am seeing the *identical* error and output (including the same intermittent message bus timeouts, even with selinux permissive) when I run:

$ realm -v join --membership-software=adcli --user=Administrator --user-principal=host/Test@FOO.COM foo.com

Note that this problem is not seen when running the same command with "--membership-software=samba":
$ realm -v join --membership-software=samba --user=Administrator --user-principal=host/Test@FOO.COM foo.com
Comment 2 Stef Walter 2013-05-13 06:54:24 EDT
(In reply to comment #0)
>  ! Couldn't authenticate as: Administrator@FOO.COM: Preauthentication failed
> adcli: couldn't connect to foo.com domain: Couldn't authenticate as:
> Administrator@FOO.COM: Preauthentication failed
>  ! Insufficient permissions to join the domain
> realm: Couldn't join realm: Insufficient permissions to join the domain

This is an invalid password for the Administrator account.

(In reply to comment #0)
> Intermittently, I got the following output when I run the command:
> $ realm -v join --user=Administrator adserver.foo.com
>  * Resolving: _ldap._tcp.dc._msdcs.adserver.foo.com
>  * Resolving: _ldap._tcp.adserver.foo.com
>  * Resolving: adserver.foo.com
>  * Sending MS-CLDAP ping to: 10.16.189.20
>  * Performing LDAP DSE lookup on: 10.16.189.20
>  * Successfully discovered: foo.com
> Password for Administrator:
>  * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
>  * LANG=C /usr/sbin/adcli join --verbose --domain foo.com --domain-realm
> FOO.COM --domain-controller adserver.foo.com --login-type user --login-
> user Administrator --stdin-password
> realm: Couldn't join realm: Message did not receive a reply (timeout by
> message bus)

It looks like realmd crashed. Could you attach the relevant files from /tmp/abrt/ccpp-xxxxx
Comment 3 yelley 2013-05-13 09:52:21 EDT
I agree that the error output message is identical to that given by an invalid password for the Administrator account. However, as I indicated, this is not the case, as I tried the realm join command multiple times and typed in the password very slowly. I also know the password works b/c when I run the same command but with "--client-software=winbind", the realm join works fine. Also note that spoore seems to have run into the same issue, according to the test page.

With regard to the realm crash, I am attaching several files. Let me know if you need additional files.
Comment 4 yelley 2013-05-13 09:58:12 EDT
Created attachment 747241 [details]
coredump
Comment 5 yelley 2013-05-13 10:00:44 EDT
Created attachment 747242 [details]
core_backtrace
Comment 6 yelley 2013-05-13 10:01:24 EDT
Created attachment 747243 [details]
var_log_messages
Comment 7 Stef Walter 2013-05-13 11:36:31 EDT
(In reply to comment #3)
> I agree that the error output message is identical to that given by an
> invalid password for the Administrator account. However, as I indicated,
> this is not the case, as I tried the realm join command multiple times and
> typed in the password very slowly. I also know the password works b/c when I
> run the same command but with "--client-software=winbind", the realm join
> works fine. Also note that spoore seems to have run into the same issue,
> according to the test page.

Have you rebuilt realmd manually recently? Perhaps try reinstalling it? This sounds like this bug, which has been fixed a couple weeks ago, and included in realmd 0.14.0.

http://cgit.freedesktop.org/realmd/realmd/commit/?id=f2b2b6e702b222a5a89ae1985f497d2927257c27

If you try to use the same password with the following command, what happens?

kinit Administrator@FOO.COM

> With regard to the realm crash, I am attaching several files. Let me know if
> you need additional files.

Thanks. That's helpful. The crash is a duplicate of bug #961435
Comment 8 Stef Walter 2013-05-24 06:45:31 EDT
I think we resolved this over IRC/email. If not, please do feel free to reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.