While we already check that the NetBIOS domain name of the IPA domain is a valid NetBIOS name the NetBIOS hostname used in the CLDAP DS plugin is just the first component of the fully qualified hostname. If the hostname is too long the NetBIOS name is invalid and will most probably cause issues when communicating with AD.
Samba and realmd just use the first 15 character of the hostname in this case and the CLDAP DS plugin should so the same.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1030517 (Red Hat Enterprise Linux 7)
Moving to next month iteration.
master: 71481a0[[BR]] ipa-3-3: 313f2e7
Reopening. Scott found out the issue is not entirely fixed:
[root@rhel7-8 ~]# ipa trust-add ad2.example.test --admin Administrator --range-type=ipa-ad-trust --password Active directory domain administrator's password: --------------------------------------------------------- Added Active Directory trust for realm "ad2.example.test" --------------------------------------------------------- Realm name: ad2.example.test Domain NetBIOS name: AD2 Domain Security Identifier: S-1-5-21-1515602834-2930230041-3336973146 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@rhel7-8 ~]# getent passwd 'AD2\Administrator' [root@rhel7-8 ~]# grep GSS.*KDC /var/log/messages Jan 12 17:46:22 rhel7-8 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)
master: 487a8f4[[BR]] ipa-3-3: 0292b17
Metadata Update from @sbose: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)
Login to comment on this ticket.