[Pkg-utopia-maintainers] Bug#858981: realmd: Set service principals on computer account fails

[Thomas Sillard]

Package: realmd
Version: 0.16.3-1
Severity: normal

Dear Maintainer,

When trying to join an AD domain with realmd, it fails to set spn for the 
computer account.

root@stretch-xfce:~# realm discover --verbose
 * Resolving: _ldap._tcp.mydomain.local.lan
 * Performing LDAP DSE lookup on: 10.13.1.100
 * Performing LDAP DSE lookup on: 10.9.1.100
 * Performing LDAP DSE lookup on: 10.6.1.100
 * Successfully discovered: mydomain.local.lan
mydomain.local.lan
  type: kerberos
  realm-name: MYDOMAIN.LOCAL.LAN
  domain-name: mydomain.local.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
root@stretch-xfce:~# cat /etc/hostname
stretch-xfce
root@stretch-xfce:~# realm join --verbose mydomain.local.lan
 * Resolving: _ldap._tcp.mydomain.local.lan
 * Performing LDAP DSE lookup on: 10.20.1.239
 * Successfully discovered: mydomain.local.lan
Password for Administrator:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain mydomain.local.lan 
--domain-realm MYDOMAIN.LOCAL.LAN --domain-controller 10.20.1.239 --login-type 
user --login-user Administrator --stdin-password
 * Using domain name: mydomain.local.lan
 * Calculated computer account name lanom fqdn: STRETCH-XFCE
 * Using domain realm: mydomain.local.lan
 * Sending netlogon pings to domain controller: ldap://10.20.1.239
 * Received NetLogon info lanom: dc01.mydomain.local.lan
 * Wrote out krb5.conf snippet to 
/var/cache/realmd/adcli-krb5-hwY7JD/krb5.d/adcli-krb5-conf-ujjRA8
 * Authenticated as user: administra...@mydomain.local.lan
 * Looked up short domain name: MYDOMAIN
 * Using fully qualified name: stretch-xfce
 * Using domain name: mydomain.local.lan
 * Using computer account name: STRETCH-XFCE
 * Using domain realm: mydomain.local.lan
 * Calculated computer account name lanom fqdn: STRETCH-XFCE
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for STRETCH-XFCE$ does not exist
 * Found well known computer container at: 
CN=Computers,DC=mydomain,DC=local,DC=lan
 * Calculated computer account: 
CN=STRETCH-XFCE,CN=Computers,DC=mydomain,DC=local,DC=lan
 * Created computer account: 
CN=STRETCH-XFCE,CN=Computers,DC=mydomain,DC=local,DC=lan
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: 
CN=STRETCH-XFCE,CN=Computers,DC=mydomain,DC=local,DC=lan
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, 
operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 ! Couldn't set service principals on computer account 
CN=STRETCH-XFCE,CN=Computers,DC=mydomain,DC=local,DC=lan: 00002083: AtrErr: 
DSID-03151785, #1:
        0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, 
Att 90303 (servicePrincipalName)

 * Discovered which keytab salt to use
 * Added the entries to the keytab: STRETCH-XFCE$@MYDOMAIN.LOCAL.LAN: 
FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/stretch-x...@mydomain.local.lan: 
FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/stretch-x...@mydomain.local.lan: 
FILE:/etc/krb5.keytab
 * Added the entries to the keytab: 
RestrictedKrbHost/stretch-x...@mydomain.local.lan: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: 
RestrictedKrbHost/stretch-x...@mydomain.local.lan: FILE:/etc/krb5.keytab
 * /usr/sbin/update-rc.d sssd enable
 * /usr/sbin/service sssd restart
 * Successfully enrolled machine in realm
root@stretch-xfce:~# 
root@stretch-xfce:~# hostname
stretch-xfce
root@stretch-xfce:~# hostname -A
stretch-xfce.mydomain.local.lan
root@stretch-xfce:~#

Setting /etc/hostname with FQDN (i.e stretch-xfce.mydomain.local) instead of 
short name (stretch-xfce) solves the problem ...

Regards,

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages realmd depends on:
ii  libc6                  2.24-9
ii  libcomerr2             1.43.4-2
ii  libglib2.0-0           2.50.3-1
ii  libk5crypto3           1.15-1
ii  libkrb5-3              1.15-1
ii  libldap-2.4-2          2.4.44+dfsg-3
ii  libpolkit-gobject-1-0  0.105-17
ii  libsystemd0            232-19

realmd recommends no packages.

realmd suggests no packages.

-- no debconf information

_______________________________________________
Pkg-utopia-maintainers mailing list
Pkg-utopia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-utopia-maintainers