#4028 Cut NetBIOS Hostname to 15 characters in CLDAP DS plugin
Closed: Fixed None Opened 5 years ago by sbose.

While we already check that the NetBIOS domain name of the IPA domain is a valid NetBIOS name the NetBIOS hostname used in the CLDAP DS plugin is just the first component of the fully qualified hostname. If the hostname is too long the NetBIOS name is invalid and will most probably cause issues when communicating with AD.

Samba and realmd just use the first 15 character of the hostname in this case and the CLDAP DS plugin should so the same.


Moving to next month iteration.

Reopening. Scott found out the issue is not entirely fixed:

[root@rhel7-8 ~]# ipa trust-add ad2.example.test --admin Administrator --range-type=ipa-ad-trust --password
Active directory domain administrator's password: 
---------------------------------------------------------
Added Active Directory trust for realm "ad2.example.test"
---------------------------------------------------------
  Realm name: ad2.example.test
  Domain NetBIOS name: AD2
  Domain Security Identifier: S-1-5-21-1515602834-2930230041-3336973146
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
                          S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
                          S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-8 ~]# getent passwd 'AD2\Administrator'

[root@rhel7-8 ~]# grep GSS.*KDC /var/log/messages 
Jan 12 17:46:22 rhel7-8 sssd_be: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC policy rejects request)

Metadata Update from @sbose:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)

2 years ago

Login to comment on this ticket.

Metadata