Bug 985817 - Join with winbind and kerberos credentials does not work
Join with winbind and kerberos credentials does not work
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Stef Walter
Patrik Kis
:
Depends On: 976593
Blocks: 917637
  Show dependency treegraph
 
Reported: 2013-07-18 06:09 EDT by Patrik Kis
Modified: 2016-08-22 07:35 EDT (History)
5 users (show)

See Also:
Fixed In Version: realmd-0.14.3-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 976593
Environment:
Last Closed: 2014-06-13 08:57:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2013-07-18 06:09:39 EDT
+++ This bug was initially created as a clone of Bug #976593 +++

[root@dwoodhou-mobl3 ~]# realm join --client-software=winbind ger.corp.intel.com -v
 * Resolving: _ldap._tcp.ger.corp.intel.com
 * Performing LDAP DSE lookup on: 10.31.1.128
 * Performing LDAP DSE lookup on: 10.22.226.110
 * Performing LDAP DSE lookup on: 10.19.8.6
 * Successfully discovered: ger.corp.intel.com
Password for Administrator: 
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.A2BLZW -U Administrator ads join ger.corp.intel.com
^CCancelling...

--- Additional comment from David Woodhouse on 2013-07-01 21:47:23 CEST ---

[root@dwoodhou-mobl3 ~]# realm join --client-software=winbind -U dwoodhou ger.corp.intel.com -v
 * Resolving: _ldap._tcp.ger.corp.intel.com
 * Performing LDAP DSE lookup on: 10.22.226.110
 * Performing LDAP DSE lookup on: 10.31.1.128
 * Performing LDAP DSE lookup on: 10.19.8.6
 * Successfully discovered: ger.corp.intel.com
Password for dwoodhou: 
 * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SOEKZW -U dwoodhou ads join ger.corp.intel.com
Enter dwoodhou's password:
^CCancelling...

--- Additional comment from David Woodhouse on 2013-07-01 21:48:25 CEST ---

Note the 'Password for...' prompts which I don't seem to be able to cancel, which is why they aren't the last line in the output each time.
Comment 1 Stef Walter 2013-07-19 12:35:42 EDT
Fix upstream in realmd git master.
Comment 2 Patrik Kis 2013-08-15 06:50:46 EDT
Verified.

/CoreOS/realmd/Sanity/AD_join_with_kerberos_credentials

OLD: realmd-0.14.2-3.el7

:: [   LOG    ] :: +++   Join with client-software=winbind membership-software=samba   +++
:: [   PASS   ] :: Running 'do_kinit Amy-admin Pass2012! SECURITY.BASEOS.QE'
:: [   FAIL   ] :: Running 'realm -v join --client-software=winbind --membership-software=samba security.baseos.qe' (Expected 0, got 1)
:: [   PASS   ] :: Clear sssd cache
:: [   PASS   ] :: Running 'realm list &>/tmp/tmp.nM6LNxMTxD/out'
:: [   FAIL   ] :: File '/tmp/tmp.nM6LNxMTxD/out' should contain 'domain-name: security.baseos.qe' 
:: [   FAIL   ] :: File '/tmp/tmp.nM6LNxMTxD/out' should contain 'configured: kerberos-member' 
:: [   FAIL   ] :: Running 'getent passwd Amy@security.baseos.qe' (Expected 0, got 2)
:: [   FAIL   ] :: Running 'getent passwd SECURITY.BASEOS.QE\\Amy' (Expected 0, got 2)
:: [   FAIL   ] :: Running 'klist -k &>/tmp/tmp.nM6LNxMTxD/out' (Expected 0, got 1)
:: [   FAIL   ] :: File '/tmp/tmp.nM6LNxMTxD/out' should contain 'X86-64-V08$@SECURITY.BASEOS.QE' 
:: [   FAIL   ] :: Check keytab usage (Expected 0, got 1)
:: [   PASS   ] :: Running 'klist'
:: [   FAIL   ] :: Running 'realmd_check_join Amy Pass2012! security.baseos.qe' (Expected 0, got 240)
:: [   FAIL   ] :: Running 'realm -v leave' (Expected 0, got 1)
:: [   PASS   ] :: Running 'realm list &> realm.list'
:: [   PASS   ] :: Check that there is no realm configured
:: [   LOG    ] :: Duration: 2m 48s
:: [   LOG    ] :: Assertions: 42 good, 10 bad
:: [   FAIL   ] :: RESULT: Test

NEW: realmd-0.14.4-1.el7

:: [   LOG    ] :: +++   Join with client-software=winbind membership-software=samba   +++
:: [   PASS   ] :: Running 'do_kinit Amy-admin Pass2012! SECURITY.BASEOS.QE'
:: [   PASS   ] :: Running 'realm -v join --client-software=winbind --membership-software=samba security.baseos.qe'
:: [   PASS   ] :: Clear sssd cache
:: [   PASS   ] :: Running 'realm list &>/tmp/tmp.A25p3aicpi/out'
:: [   PASS   ] :: File '/tmp/tmp.A25p3aicpi/out' should contain 'domain-name: security.baseos.qe'
:: [   PASS   ] :: File '/tmp/tmp.A25p3aicpi/out' should contain 'configured: kerberos-member'
:: [   PASS   ] :: Running 'getent passwd Amy@security.baseos.qe'
:: [   PASS   ] :: Running 'getent passwd Amy@SECURITY'
:: [   PASS   ] :: Running 'getent passwd SECURITY\\Amy'
:: [   PASS   ] :: Running 'getent passwd SECURITY.BASEOS.QE\\Amy'
:: [   PASS   ] :: Running 'klist -k &>/tmp/tmp.A25p3aicpi/out'
:: [   PASS   ] :: File '/tmp/tmp.A25p3aicpi/out' should contain 'X86-64-V08$@SECURITY.BASEOS.QE'
:: [   PASS   ] :: Check keytab usage
:: [   PASS   ] :: Running 'klist'
:: [   PASS   ] :: Running 'realmd_check_join Amy Pass2012! security.baseos.qe'
:: [   PASS   ] :: Running 'realm -v leave'
:: [   PASS   ] :: Running 'realm list &> realm.list'
:: [   PASS   ] :: Check that there is no realm configured
:: [   LOG    ] :: Duration: 41s
:: [   LOG    ] :: Assertions: 54 good, 0 bad
:: [   PASS   ] :: RESULT: Test


/CoreOS/realmd/Sanity/AD-join-leave-sanity-test

OLD: realmd-0.14.2-3.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Join non interactive mode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: +++   Join with piped password   +++
:: [   PASS   ] :: Running 'echo weareawesome2012! | realm -v join security.baseos.qe &>join.log &'
:: [   FAIL   ] :: File 'join.log' should contain 'Successfully enrolled machine' 
:: [   PASS   ] :: Running 'realm list'
:: [   FAIL   ] :: Running 'realm -v leave' (Expected 0, got 1)
:: [   PASS   ] :: Running 'realm list &> realm.list'
:: [   PASS   ] :: Check that there is no realm configured
:: [   LOG    ] :: +++   Join attempt with incorrect password piped o realm   +++
:: [   PASS   ] :: Running 'echo FAkePassword | realm -v join security.baseos.qe &>join.log &'
:: [   PASS   ] :: File 'join.log' should not contain 'Successfully enrolled machine'
:: [   FAIL   ] :: File 'join.log' should contain 'realm: Couldn't join' 
:: [   PASS   ] :: Running 'realm list &> realm.list'
:: [   PASS   ] :: Check that there is no realm configured
:: [   LOG    ] :: Duration: 2m 5s
:: [   LOG    ] :: Assertions: 8 good, 3 bad
:: [   FAIL   ] :: RESULT: Join non interactive mode


NEW: realmd-0.14.4-1.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Join non interactive mode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: +++   Join with piped password   +++
:: [   PASS   ] :: Running 'echo weareawesome2012! | realm -v join security.baseos.qe &>join.log &'
:: [   PASS   ] :: File 'join.log' should contain 'Successfully enrolled machine'
:: [   PASS   ] :: Running 'realm list'
:: [   PASS   ] :: Running 'realm -v leave'
:: [   PASS   ] :: Running 'realm list &> realm.list'
:: [   PASS   ] :: Check that there is no realm configured
:: [   LOG    ] :: +++   Join attempt with incorrect password piped o realm   +++
:: [   PASS   ] :: Running 'echo FAkePassword | realm -v join security.baseos.qe &>join.log &'
:: [   PASS   ] :: File 'join.log' should not contain 'Successfully enrolled machine'
:: [   PASS   ] :: File 'join.log' should contain 'realm: Couldn't join'
:: [   PASS   ] :: Running 'realm list &> realm.list'
:: [   PASS   ] :: Check that there is no realm configured
:: [   LOG    ] :: Duration: 36s
:: [   LOG    ] :: Assertions: 11 good, 0 bad
:: [   PASS   ] :: RESULT: Join non interactive mode


/CoreOS/realmd/Sanity/IPA-join-leave-sanity-test

OLD: realmd-0.14.2-3.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Join non interactive mode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: +++   Join with piped password   +++
:: [   PASS   ] :: Running 'echo Pass2012! | realm -v join ipa2.baseos.qe &>join.log &' (Expected 0, got 0)
:: [   FAIL   ] :: File 'join.log' should contain 'Successfully enrolled machine' 
:: [   PASS   ] :: Running 'realm list' (Expected 0, got 0)
:: [   PASS   ] :: Clear sssd cache (Expected 0-255, got 0)
:: [   PASS   ] :: Running 'realm list &>/tmp/tmp.wB1mksFWIm/out' (Expected 0, got 0)
:: [   FAIL   ] :: File '/tmp/tmp.wB1mksFWIm/out' should contain 'domain-name: ipa2.baseos.qe' 
:: [   FAIL   ] :: File '/tmp/tmp.wB1mksFWIm/out' should contain 'configured: kerberos-member' 
:: [   FAIL   ] :: Running 'getent passwd amy@ipa2.baseos.qe' (Expected 0, got 2)
:: [   FAIL   ] :: Running 'getent passwd IPA2.BASEOS.QE\\amy' (Expected 0, got 2)
:: [   FAIL   ] :: Running 'klist -k &>/tmp/tmp.wB1mksFWIm/out' (Expected 0, got 1)
:: [   FAIL   ] :: File '/tmp/tmp.wB1mksFWIm/out' should contain 'host/rhel7.ipa2.baseos.qe@IPA2.BASEOS.QE' 
:: [   FAIL   ] :: Check keytab usage (Expected 0, got 1)
:: [   FAIL   ] :: Running 'klist' (Expected 0, got 1)
:: [   FAIL   ] :: Check realm join (Expected 0, got 240)
:: [   FAIL   ] :: Running 'realm -v leave' (Expected 0, got 1)
:: [   PASS   ] :: Running 'realm list &> realm.list' (Expected 0, got 0)
:: [   PASS   ] :: Check that there is no realm configured (Assert: expected 0, got 0)
:: [   LOG    ] :: +++   Join attempt with incorrect password piped o realm   +++
:: [   PASS   ] :: Running 'echo FAkePassword | realm -v join ipa2.baseos.qe &>join.log &' (Expected 0, got 0)
:: [   PASS   ] :: File 'join.log' should not contain 'Successfully enrolled machine' 
:: [   FAIL   ] :: File 'join.log' should contain 'realm: Couldn't join' 
:: [   PASS   ] :: Running 'realm list &> realm.list' (Expected 0, got 0)
:: [   PASS   ] :: Check that there is no realm configured (Assert: expected 0, got 0)
:: [   LOG    ] :: Duration: 2m 4s
:: [   LOG    ] :: Assertions: 10 good, 12 bad
:: [   FAIL   ] :: RESULT: Join non interactive mode


NEW: realmd-0.14.4-1.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Join non interactive mode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: +++   Join with piped password   +++
:: [   PASS   ] :: Running 'echo Pass2012! | realm -v join ipa2.baseos.qe &>join.log &' (Expected 0, got 0)
:: [   PASS   ] :: File 'join.log' should contain 'Successfully enrolled machine' 
:: [   PASS   ] :: Running 'realm list' (Expected 0, got 0)
:: [   PASS   ] :: Clear sssd cache (Expected 0-255, got 0)
:: [   PASS   ] :: Running 'realm list &>/tmp/tmp.J9ycgWP2vB/out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.J9ycgWP2vB/out' should contain 'domain-name: ipa2.baseos.qe' 
:: [   PASS   ] :: File '/tmp/tmp.J9ycgWP2vB/out' should contain 'configured: kerberos-member' 
:: [   PASS   ] :: Running 'getent passwd amy@ipa2.baseos.qe' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent passwd IPA2.BASEOS.QE\\amy' (Expected 0, got 0)
:: [   PASS   ] :: Running 'klist -k &>/tmp/tmp.J9ycgWP2vB/out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.J9ycgWP2vB/out' should contain 'host/rhel7.ipa2.baseos.qe@IPA2.BASEOS.QE' 
:: [   PASS   ] :: Check keytab usage (Expected 0, got 0)
:: [   PASS   ] :: Running 'klist' (Expected 0, got 0)
:: [   PASS   ] :: Check realm join (Expected 0, got 0)
:: [   PASS   ] :: Running 'realm -v leave' (Expected 0, got 0)
:: [   PASS   ] :: Running 'realm list &> realm.list' (Expected 0, got 0)
:: [   PASS   ] :: Check that there is no realm configured (Assert: expected 0, got 0)
:: [   LOG    ] :: +++   Join attempt with incorrect password piped o realm   +++
:: [   PASS   ] :: Running 'echo FAkePassword | realm -v join ipa2.baseos.qe &>join.log &' (Expected 0, got 0)
:: [   PASS   ] :: File 'join.log' should not contain 'Successfully enrolled machine' 
:: [   PASS   ] :: File 'join.log' should contain 'realm: Couldn't join' 
:: [   PASS   ] :: Running 'realm list &> realm.list' (Expected 0, got 0)
:: [   PASS   ] :: Check that there is no realm configured (Assert: expected 0, got 0)
:: [   LOG    ] :: Duration: 29s
:: [   LOG    ] :: Assertions: 22 good, 0 bad
:: [   PASS   ] :: RESULT: Join non interactive mode
Comment 3 Ludek Smid 2014-06-13 08:57:00 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.