realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
realmd (Ubuntu) |
New
|
Undecided
|
Andreas Hasenack |
Bug Description
I'm not sure if this bug is in package realmd, samba or winbind.
Joining to a AD domain with realm (using samba and winbind for authentication) sets wrong entries in krb5.keytab.
Our clients are in a subdomain HOSTNAME.
I join clients with:
realm join -v --automatic-
wrong keytab:
root@kubuntu-
Keytab name: FILE:/etc/
KVNO Timestamp Principal
---- ------------------- -------
1 19.11.2020 16:48:31 restrictedkrbho
1 19.11.2020 16:48:31 restrictedkrbho
1 19.11.2020 16:48:31 restrictedkrbho
1 19.11.2020 16:48:31 restrictedkrbho
1 19.11.2020 16:48:31 restrictedkrbho
1 19.11.2020 16:48:31 restrictedkrbho
1 19.11.2020 16:48:31 host/kubuntu-
1 19.11.2020 16:48:31 host/KUBUNTU-
1 19.11.2020 16:48:31 host/kubuntu-
1 19.11.2020 16:48:31 host/KUBUNTU-
1 19.11.2020 16:48:31 host/kubuntu-
1 19.11.2020 16:48:31 host/KUBUNTU-
1 19.11.2020 16:48:31 KUBUNTU-
1 19.11.2020 16:48:31 KUBUNTU-
1 19.11.2020 16:48:31 KUBUNTU-
host is in subdomain kubuntu-
root@kubuntu-
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: kubuntu-
I also recognized the ldap attribute "dNSHostName" for this machine account in AD is set to the incorrect FQDN: kubuntu-
If I set the system to use SSSD instead of winbind and join with
realm join --membership-
the krb5.keytab is set correctly with subdomain.
But I need winbind...
Tested with:
Ubuntu 20.10
realmd 0.16.3-3ubuntu1
samba 2:4.12.
Could you elaborate further on how you're configuring things? I'm not very versed in Samba, but adding the 'client' level between the host and domain looks unusual, so would be helpful if you could explain more (or provide link to reference describing your use case). Thanks ahead of time.