Learn more about these different git repos.
Other Git URLs
when adcli is called without the arg --computer_name <shortname> it use <shortname> uppercase. This cause a problem when the sAMAccountName on active directory is lowercase. On domain join a Kerberos keytab is created with lowercase entries (equal then entry at AD). After the first renew of the passphrase of the Kerberos keytab contain lowercase and uppercase entries. After the second passphrase renew the lowercase entry is lost. The kinit did not work anymore with lowercase '<shortname>$'.
When using this format at sssd.conf ad AD section, the sssd isn't able to get a Kerberos host ticket.
Here an example:
AD Entry ldapsearch -v -o ldif-wrap=no -u '(sAMAccountName=z0020c4d$)' -H ldap://domain.org -b 'dc=domain,dc=org' ldap_initialize( ldap://ldapdc.domain.org:389/??base ) SASL/GSSAPI authentication started SASL username: user1@DOMAIN.ORG SASL SSF: 56 SASL data security layer installed. filter: (sAMAccountName=z0020c4d$) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=domain,dc=org> with scope subtree # filter: (sAMAccountName=z0020c4d$) # requesting: ALL #
# z0020c4d, Computers, UNIT, ORG, domain.org dn: CN=z0020c4d,OU=Computers,OU=UNIT,OU=ORG,DC=domain,DC=org ufn: z0020c4d, Computers, UNIT, ORG, domain.org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: z0020c4d description: Dest telephoneNumber: +1122334455667 distinguishedName: CN=z0020c4d,OU=Computers,OU=UNIT,OU=ORG,DC=domain,DC=org instanceType: 4 whenCreated: 20121116000005.0Z whenChanged: 20180816000005.0Z uSNCreated: 390123494 uSNChanged: 8071012349 name: z0020c4d objectGUID:: UH57tkxsXUWMikLlKcxZsA== userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 131672903197148696 lastLogoff: 0 lastLogon: 131698712329871237 pwdLastSet: 131780987198712339 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAABBpzPBOQ5QWyHQLx48kCAA== accountExpires: 9223372036854775807 logonCount: 6772 sAMAccountName: z0020c4d$ location: Location sAMAccountType: 805306369 dNSHostName: z0020c4d.domain.org managedBy: CN=Lname Fname ,OU=Users,OU=UNIT,OU=ORG,DC=domain,DC=org servicePrincipalName: cifs/z0020c4d servicePrincipalName: cifs/z0020c4d.domain.org servicePrincipalName: dns/z0020c4d servicePrincipalName: dns/z0020c4d.domain.org servicePrincipalName: host/z0020c4d servicePrincipalName: host/z0020c4d.domain.org servicePrincipalName: http/z0020c4d servicePrincipalName: http/z0020c4d.domain.org objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=org isCriticalSystemObject: FALSE dSCorePropagationData: 20180622093959.0Z dSCorePropagationData: 20180618140139.0Z dSCorePropagationData: 20180618135536.0Z dSCorePropagationData: 20180302122122.0Z dSCorePropagationData: 16010714223649.0Z lastLogonTimestamp: 131788796680215773 msDS-SupportedEncryptionTypes: 28
# search reference ref: ldap://ForestDnsZones.domain.org/DC=ForestDnsZones,DC=domain,DC=org
# search reference ref: ldap://DomainDnsZones.domain.org/DC=DomainDnsZones,DC=domain,DC=org
# search reference ref: ldap://domain.org/CN=Configuration,DC=domain,DC=org
# search result search: 5 result: 0 Success
# numResponses: 5 # numEntries: 1 # numReferences: 3
Kerberos keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 124 28.06.2018 10:08:58 cifs/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 cifs/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 cifs/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 cifs/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 cifs/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 cifs/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 dns/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 dns/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 dns/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 dns/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 dns/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 dns/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 host/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 host/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 host/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 host/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 host/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 host/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 http/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 http/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 http/z0020c4d@DOMAIN.ORG 124 28.06.2018 10:08:58 http/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 http/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 http/z0020c4d.domain.org@DOMAIN.ORG 124 28.06.2018 10:08:58 z0020c4d$@DOMAIN.ORG 124 28.06.2018 10:08:58 z0020c4d$@DOMAIN.ORG 124 28.06.2018 10:08:58 z0020c4d$@DOMAIN.ORG
kinit command root@z0020c4d:~ # kinit -kt /etc/krb5.keytab 'z0020c4d$' root@z0020c4d:~ # klist Ticketzwischenspeicher: FILE:/tmp/krb5cc_0 Standard-Principal: z0020c4d$@DOMAIN.ORG
Valid starting Expires Service principal 06/30/18 14:47:48 07/01/18 00:47:48 krbtgt/DOMAIN.ORG@DOMAIN.ORG renew until 07/07/18 14:47:48 root@z0020c4d:~ #
adcli command /usr/sbin/adcli called with args 'update --verbose --domain=domain.org --host-keytab=/etc/krb5.keytab --host-fqdn=z0020c4d.domain.org --computer-password-lifetime=30 --domain-controller=kdc.domain.org' (Mon Aug 06 07:09:28 2018) [sssd[be[DOMAIN.ORG]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start--- * Found realm in keytab: DOMAIN.ORG * Found service principal in keytab: host/z0020c4d * Found service principal in keytab: host/z0020c4d.domain.org * Found host qualified name in keytab: host/z0020c4d.domain.org * Found service principal in keytab: dns/z0020c4d * Found service principal in keytab: dns/z0020c4d.domain.org * Found service principal in keytab: http/z0020c4d * Found service principal in keytab: http/z0020c4d.domain.org * Found service principal in keytab: cifs/z0020c4d * Found service principal in keytab: cifs/z0020c4d.domain.org * Found computer name in keytab: Z0020C4D * Using fully qualified name: z0020c4d.domain.org * Using domain name: domain.org * Calculated computer account name from fqdn: Z0020C4D * Using domain realm: domain.org * Sending netlogon pings to domain controller: ldap://10.92.66.7 * Received NetLogon info from: ldapdc.domain.org * Wrote out krb5.conf snippet to /tmp/adcli-krb5-gS97JC/krb5.d/adcli-krb5-conf-Iq5JXh * Authenticated as default/reset computer account: Z0020C4D * Looked up short domain name: WW930 * Using fully qualified name: z0020c4d.domain.org * Using domain name: domain.org * Using computer account name: Z0020C4D * Using domain realm: domain.org * Using fully qualified name: z0020c4d.domain.org * Enrolling computer name: Z0020C4D * Generated 120 character computer password * Using keytab: /etc/krb5.keytab * Found computer account for Z0020C4D$ at: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net ### at AD computer account is lowercase ### * Retrieved kvno '125' for computer account in directory: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net * Password not too old, no change needed * Modifying computer account: userAccountControl ! Couldn't set userAccountControl on computer account: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net: Insufficient access * Updated existing computer account: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net ---adcli output end---
Problem: after renew uppercase and lowercase entries exist for 'z0020c4d$@DOMAIN.ORG'.
Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal
... 125 06.08.2018 07:09:28 z0020c4d$@DOMAIN.ORG 125 06.08.2018 07:09:28 z0020c4d$@DOMAIN.ORG 125 06.08.2018 07:09:28 z0020c4d$@DOMAIN.ORG 125 06.08.2018 07:09:28 Z0020C4D$@DOMAIN.ORG 125 06.08.2018 07:09:28 Z0020C4D$@DOMAIN.ORG 125 06.08.2018 07:09:28 Z0020C4D$@DOMAIN.ORG
Problem: after second renew only uppercase entries exist for 'Z0020C4D$@DOMAIN.ORG'. The kinit -kt /etc/krb5.keytab 'z0020c4d$' (lowercase) did not work anymore .. We have to use kinit -kt /etc/krb5.keytab 'Z0020C4D$' (uppercase).
When using the option '--computer_name z0020c4d' then adcli found the hostname with lowercase instead creating uppercase ..
... * Found computer account for z0020c4d$ at: CN=z0020c4d,OU=Computers,OU=UNIT,OU=ORG,DC=domain,DC=org ...
So this option should be used for adcli at sssd.
This should be better fixed in adcli directly and I think I already fixed this in the context of https://bugzilla.redhat.com/show_bug.cgi?id=1359773. Please let me know which platform you are using and I'll try to prepare an adcli test build with the fix.
At the moment we user sssd on debian (9), OpenSuSE Leap, Ubuntu 16.04 and 18.04 and fedora. But there are more request setting up Linux clients in AD context - RedHat is missing, because it have no SCEP support for certificate renew at the moment :-(.
Yes - this would be a work around for a adcli problem, but allow using optionally all adcli args at sssd could also be helpful in the future ..
Since this is closed in adcli, I'm closing this ticket.
Metadata Update from @jhrozek: - Issue close_status updated to: Invalid - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4803
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.