Ubuntu
adcli package

adcli not updating keytabs since 0.8.2-1ubuntu1

Bug #1909580 reported by Hajo Locke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
adcli (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hello,

i use a typical setup with sssd/realmd to integrate some of my machines into MS Active Directory.
sssd triggers adcli to update machine password in Active Directory.

On 2020-12-02 my systems updated adcli from 0.8.2-1 to 0.8.2-1ubuntu1, since that date no keytab renewal is possible.

I downgraded adcli package and it worked again, which avoids danger of being thrown out of AD.

This is a succesful adcli output, the arguments are captured directly from sssd:

adcli update --domain=mydomain.de --host-fqdn=Hostname --computer-password-lifetime=30 --domain-controller=mydc.mydomain.de --verbose
 * Found realm in keytab: mydomain.de
 * Found computer name in keytab: Hostname
 * Found service principal in keytab: host/Hostname
 * Found service principal in keytab: host/Hostname
 * Found service principal in keytab: HTTP/Hostname
 * Found service principal in keytab: RestrictedKrbHost/Hostname
 * Found service principal in keytab: HTTP/Hostname.mydomain.de
 * Using fully qualified name: Hostname
 * Using domain name: mydomain.de
 * Calculated computer account name from fqdn: Hostname
 * Using domain realm: mydomain.de
 * Sending netlogon pings to domain controller: cldap://xx.xx.xx.xx
 * Received NetLogon info from: mydc.mydomain.de
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-wfQWOb/krb5.d/adcli-krb5-conf-5agnpJ
 * Authenticated as default/reset computer account: Hostname
 * Looked up short domain name: SHORTDOMAIn
 * Using fully qualified name: Hostname
 * Using domain name: mydomain.de
 * Using computer account name: Hostname
 * Using domain realm: mydomain.de
 * Enrolling computer name: Hostname
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for Hostname$ at: xxx
 * Retrieved kvno '12' for computer account in directory: xxx
 * Changed computer password
 * kvno incremented to 13
 * Modifying computer account: userAccountControl
 ! Couldn't set userAccountControl on computer account: xxx
 * Updated existing computer account: xxx
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Discovered which keytab salt to use
 * Added the entries to the keytab: Hostname$@mydomain.de: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Cleared old entries from keytab: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab

And this is the unsuccesful output of adcli 0.8.2-1ubuntu1

adcli update --domain=mydomain.de --host-fqdn=Hostname --computer-password-lifetime=30 --domain-controller=mydc.mydomain.de --verbose
 * Found realm in keytab: mydomain.de
 * Found computer name in keytab: Hostname
 * Found service principal in keytab: host/Hostname
 * Found service principal in keytab: host/Hostname
 * Found service principal in keytab: HTTP/Hostname
 * Found service principal in keytab: RestrictedKrbHost/Hostname
 * Found service principal in keytab: HTTP/Hostname.mydomain.de
 * Using fully qualified name: Hostname
 * Using domain name: mydomain.de
 * Calculated computer account name from fqdn: Hostname
 * Using domain realm: mydomain.de
 * Sending netlogon pings to domain controller: cldap://xx.xx.xx.xx
 * Received NetLogon info from: mydc.mydomain.de
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-q8rbQD/krb5.d/adcli-krb5-conf-ZzzByW
 * Authenticated as default/reset computer account: Hostname
 * Using GSS-SPNEGO for SASL bind
 ! Couldn't lookup domain short name: Can't contact LDAP server
 * Using fully qualified name: Hostname
 * Using domain name: mydomain.de
 * Using computer account name: Hostname
 * Using domain realm: mydomain.de
 * Enrolling computer name: Hostname
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 ! Couldn't lookup computer account: Hostname$: Can't contact LDAP server
adcli: updating membership with domain mydomain.de failed: Couldn't lookup computer account: Hostname$: Can't contact LDAP server

So whats wrong here? I think there is no real problem of contacting DomainController. May be adcli needs some more Arguments, but adcli is triggered directly by sssd.

Thanks for your help,
Hajo

Revision history for this message
Hajo Locke (hajo-locke) wrote :

can be ignored, seems a duplicate of solved
1906627
Thanks,
Hajo

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for your report. It indeed seems like a duplicate of bug 1906627, so I am marking it as such.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.