adcli not updating keytabs since 0.8.2-1ubuntu1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adcli (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hello,
i use a typical setup with sssd/realmd to integrate some of my machines into MS Active Directory.
sssd triggers adcli to update machine password in Active Directory.
On 2020-12-02 my systems updated adcli from 0.8.2-1 to 0.8.2-1ubuntu1, since that date no keytab renewal is possible.
I downgraded adcli package and it worked again, which avoids danger of being thrown out of AD.
This is a succesful adcli output, the arguments are captured directly from sssd:
adcli update --domain=
* Found realm in keytab: mydomain.de
* Found computer name in keytab: Hostname
* Found service principal in keytab: host/Hostname
* Found service principal in keytab: host/Hostname
* Found service principal in keytab: HTTP/Hostname
* Found service principal in keytab: RestrictedKrbHo
* Found service principal in keytab: HTTP/Hostname.
* Using fully qualified name: Hostname
* Using domain name: mydomain.de
* Calculated computer account name from fqdn: Hostname
* Using domain realm: mydomain.de
* Sending netlogon pings to domain controller: cldap://xx.xx.xx.xx
* Received NetLogon info from: mydc.mydomain.de
* Wrote out krb5.conf snippet to /tmp/adcli-
* Authenticated as default/reset computer account: Hostname
* Looked up short domain name: SHORTDOMAIn
* Using fully qualified name: Hostname
* Using domain name: mydomain.de
* Using computer account name: Hostname
* Using domain realm: mydomain.de
* Enrolling computer name: Hostname
* Generated 120 character computer password
* Using keytab: FILE:/etc/
* Found computer account for Hostname$ at: xxx
* Retrieved kvno '12' for computer account in directory: xxx
* Changed computer password
* kvno incremented to 13
* Modifying computer account: userAccountControl
! Couldn't set userAccountControl on computer account: xxx
* Updated existing computer account: xxx
* Cleared old entries from keytab: FILE:/etc/
* Discovered which keytab salt to use
* Added the entries to the keytab: Hostname$
* Cleared old entries from keytab: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Cleared old entries from keytab: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Cleared old entries from keytab: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Cleared old entries from keytab: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Cleared old entries from keytab: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
And this is the unsuccesful output of adcli 0.8.2-1ubuntu1
adcli update --domain=
* Found realm in keytab: mydomain.de
* Found computer name in keytab: Hostname
* Found service principal in keytab: host/Hostname
* Found service principal in keytab: host/Hostname
* Found service principal in keytab: HTTP/Hostname
* Found service principal in keytab: RestrictedKrbHo
* Found service principal in keytab: HTTP/Hostname.
* Using fully qualified name: Hostname
* Using domain name: mydomain.de
* Calculated computer account name from fqdn: Hostname
* Using domain realm: mydomain.de
* Sending netlogon pings to domain controller: cldap://xx.xx.xx.xx
* Received NetLogon info from: mydc.mydomain.de
* Wrote out krb5.conf snippet to /tmp/adcli-
* Authenticated as default/reset computer account: Hostname
* Using GSS-SPNEGO for SASL bind
! Couldn't lookup domain short name: Can't contact LDAP server
* Using fully qualified name: Hostname
* Using domain name: mydomain.de
* Using computer account name: Hostname
* Using domain realm: mydomain.de
* Enrolling computer name: Hostname
* Generated 120 character computer password
* Using keytab: FILE:/etc/
! Couldn't lookup computer account: Hostname$: Can't contact LDAP server
adcli: updating membership with domain mydomain.de failed: Couldn't lookup computer account: Hostname$: Can't contact LDAP server
So whats wrong here? I think there is no real problem of contacting DomainController. May be adcli needs some more Arguments, but adcli is triggered directly by sssd.
Thanks for your help,
Hajo
can be ignored, seems a duplicate of solved
1906627
Thanks,
Hajo