#3809 static errno_t get_adcli_extra_args missing optional computer_name option for adcli call
Closed: Invalid 5 years ago Opened 5 years ago by gabs5807.

when adcli is called without the arg --computer_name <shortname> it use <shortname> uppercase.
This cause a problem when the sAMAccountName on active directory is lowercase.
On domain join a Kerberos keytab is created with lowercase entries (equal then entry at AD).
After the first renew of the passphrase of the Kerberos keytab contain lowercase and uppercase entries.
After the second passphrase renew the lowercase entry is lost.
The kinit did not work anymore with lowercase '<shortname>$'.

When using this format at sssd.conf ad AD section, the sssd isn't able to get a Kerberos host ticket.

Here an example:

AD Entry
ldapsearch -v -o ldif-wrap=no -u '(sAMAccountName=z0020c4d$)' -H ldap://domain.org -b 'dc=domain,dc=org'
ldap_initialize( ldap://ldapdc.domain.org:389/??base )
SASL/GSSAPI authentication started
SASL username: user1@DOMAIN.ORG
SASL SSF: 56
SASL data security layer installed.
filter: (sAMAccountName=z0020c4d$)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=org> with scope subtree
# filter: (sAMAccountName=z0020c4d$)
# requesting: ALL
#

# z0020c4d, Computers, UNIT, ORG, domain.org
dn: CN=z0020c4d,OU=Computers,OU=UNIT,OU=ORG,DC=domain,DC=org
ufn: z0020c4d, Computers, UNIT, ORG, domain.org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: z0020c4d
description: Dest
telephoneNumber: +1122334455667
distinguishedName: CN=z0020c4d,OU=Computers,OU=UNIT,OU=ORG,DC=domain,DC=org
instanceType: 4
whenCreated: 20121116000005.0Z
whenChanged: 20180816000005.0Z
uSNCreated: 390123494
uSNChanged: 8071012349
name: z0020c4d
objectGUID:: UH57tkxsXUWMikLlKcxZsA==
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131672903197148696
lastLogoff: 0
lastLogon: 131698712329871237
pwdLastSet: 131780987198712339
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAABBpzPBOQ5QWyHQLx48kCAA==
accountExpires: 9223372036854775807
logonCount: 6772
sAMAccountName: z0020c4d$
location: Location
sAMAccountType: 805306369
dNSHostName: z0020c4d.domain.org
managedBy: CN=Lname Fname ,OU=Users,OU=UNIT,OU=ORG,DC=domain,DC=org
servicePrincipalName: cifs/z0020c4d
servicePrincipalName: cifs/z0020c4d.domain.org
servicePrincipalName: dns/z0020c4d
servicePrincipalName: dns/z0020c4d.domain.org
servicePrincipalName: host/z0020c4d
servicePrincipalName: host/z0020c4d.domain.org
servicePrincipalName: http/z0020c4d
servicePrincipalName: http/z0020c4d.domain.org
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=org
isCriticalSystemObject: FALSE
dSCorePropagationData: 20180622093959.0Z
dSCorePropagationData: 20180618140139.0Z
dSCorePropagationData: 20180618135536.0Z
dSCorePropagationData: 20180302122122.0Z
dSCorePropagationData: 16010714223649.0Z
lastLogonTimestamp: 131788796680215773
msDS-SupportedEncryptionTypes: 28

# search reference
ref: ldap://ForestDnsZones.domain.org/DC=ForestDnsZones,DC=domain,DC=org

# search reference
ref: ldap://DomainDnsZones.domain.org/DC=DomainDnsZones,DC=domain,DC=org

# search reference
ref: ldap://domain.org/CN=Configuration,DC=domain,DC=org

# search result
search: 5
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

Kerberos keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
124 28.06.2018 10:08:58 cifs/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 cifs/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 cifs/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 cifs/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 cifs/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 cifs/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 dns/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 dns/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 dns/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 dns/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 dns/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 dns/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 host/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 host/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 host/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 host/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 host/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 host/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 http/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 http/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 http/z0020c4d@DOMAIN.ORG
124 28.06.2018 10:08:58 http/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 http/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 http/z0020c4d.domain.org@DOMAIN.ORG
124 28.06.2018 10:08:58 z0020c4d$@DOMAIN.ORG
124 28.06.2018 10:08:58 z0020c4d$@DOMAIN.ORG
124 28.06.2018 10:08:58 z0020c4d$@DOMAIN.ORG

kinit command
root@z0020c4d:~ # kinit -kt /etc/krb5.keytab 'z0020c4d$'
root@z0020c4d:~ # klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: z0020c4d$@DOMAIN.ORG

Valid starting Expires Service principal
06/30/18 14:47:48 07/01/18 00:47:48 krbtgt/DOMAIN.ORG@DOMAIN.ORG
renew until 07/07/18 14:47:48
root@z0020c4d:~ #

adcli command
/usr/sbin/adcli called with args 'update --verbose --domain=domain.org --host-keytab=/etc/krb5.keytab --host-fqdn=z0020c4d.domain.org --computer-password-lifetime=30 --domain-controller=kdc.domain.org'
(Mon Aug 06 07:09:28 2018) [sssd[be[DOMAIN.ORG]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
* Found realm in keytab: DOMAIN.ORG
* Found service principal in keytab: host/z0020c4d
* Found service principal in keytab: host/z0020c4d.domain.org
* Found host qualified name in keytab: host/z0020c4d.domain.org
* Found service principal in keytab: dns/z0020c4d
* Found service principal in keytab: dns/z0020c4d.domain.org
* Found service principal in keytab: http/z0020c4d
* Found service principal in keytab: http/z0020c4d.domain.org
* Found service principal in keytab: cifs/z0020c4d
* Found service principal in keytab: cifs/z0020c4d.domain.org
* Found computer name in keytab: Z0020C4D
* Using fully qualified name: z0020c4d.domain.org
* Using domain name: domain.org
* Calculated computer account name from fqdn: Z0020C4D
* Using domain realm: domain.org
* Sending netlogon pings to domain controller: ldap://10.92.66.7
* Received NetLogon info from: ldapdc.domain.org
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-gS97JC/krb5.d/adcli-krb5-conf-Iq5JXh
* Authenticated as default/reset computer account: Z0020C4D
* Looked up short domain name: WW930
* Using fully qualified name: z0020c4d.domain.org
* Using domain name: domain.org
* Using computer account name: Z0020C4D
* Using domain realm: domain.org
* Using fully qualified name: z0020c4d.domain.org
* Enrolling computer name: Z0020C4D
* Generated 120 character computer password
* Using keytab: /etc/krb5.keytab
* Found computer account for Z0020C4D$ at: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net ### at AD computer account is lowercase ###
* Retrieved kvno '125' for computer account in directory: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net
* Password not too old, no change needed
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net: Insufficient access
* Updated existing computer account: CN=z0020c4d,OU=Computers,OU=OU=UNIT,OU=ORG,DC=domain,DC=net
---adcli output end---

Problem: after renew uppercase and lowercase entries exist for 'z0020c4d$@DOMAIN.ORG'.

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal


...
125 06.08.2018 07:09:28 z0020c4d$@DOMAIN.ORG
125 06.08.2018 07:09:28 z0020c4d$@DOMAIN.ORG
125 06.08.2018 07:09:28 z0020c4d$@DOMAIN.ORG
125 06.08.2018 07:09:28 Z0020C4D$@DOMAIN.ORG
125 06.08.2018 07:09:28 Z0020C4D$@DOMAIN.ORG
125 06.08.2018 07:09:28 Z0020C4D$@DOMAIN.ORG

Problem: after second renew only uppercase entries exist for 'Z0020C4D$@DOMAIN.ORG'.
The kinit -kt /etc/krb5.keytab 'z0020c4d$' (lowercase) did not work anymore ..
We have to use kinit -kt /etc/krb5.keytab 'Z0020C4D$' (uppercase).

When using the option '--computer_name z0020c4d' then adcli found the hostname with lowercase instead creating uppercase ..

...
* Found computer account for z0020c4d$ at: CN=z0020c4d,OU=Computers,OU=UNIT,OU=ORG,DC=domain,DC=org
...

So this option should be used for adcli at sssd.


This should be better fixed in adcli directly and I think I already fixed this in the context of https://bugzilla.redhat.com/show_bug.cgi?id=1359773. Please let me know which platform you are using and I'll try to prepare an adcli test build with the fix.

This should be better fixed in adcli directly and I think I already fixed this in the context of https://bugzilla.redhat.com/show_bug.cgi?id=1359773. Please let me know which platform you are using and I'll try to prepare an adcli test build with the fix.

At the moment we user sssd on debian (9), OpenSuSE Leap, Ubuntu 16.04 and 18.04 and fedora.
But there are more request setting up Linux clients in AD context - RedHat is missing, because it have no SCEP support for certificate renew at the moment :-(.

Yes - this would be a work around for a adcli problem, but allow using optionally all adcli args at sssd could also be helpful in the future ..

Since this is closed in adcli, I'm closing this ticket.

Metadata Update from @jhrozek:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4803

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata