[SSSD-users] Re: adcli behavior change with RHEL 7.7
On Mon, Aug 12, 2019 at 09:41:31PM -, Erinn Looney-Triggs wrote: > Apologies, the issue is we moved from using winbind via realmd which now > seems to be broken due to this: > https://bugzilla.samba.org/show_bug.cgi?id=14007 to using adcli, our > realmd.conf file had previously lower cased the computer-name like so: > > computer-name = example Hi, thank's for the explanation. > > And samba apparently uppercased it on the join (EXAMPLE$). adcli appears not > to do that (example$). After some long research it looks like lower case is > entirely legit for NETBIOS names, but for whatever reason samba chooses to > upper case the names. Yes, lower-case characters are valid in NetBIOS names, the all upper-case style is a historic convention. > > So the change in behavior was unexpected, but is valid. However, getting net > ads join to work again in RHEL 7.7 is probably a good idea on Red Hat's part. > > In short I expected adcli to act like net ads join, it doesn't, the former > will accept upper or lower case and probably anything in between, the latter > upper cases the name. Solution was to upper case the name with ADCLI so that > it matches what we had previously. Longer term solution is to be case > insensitive when looking for a principle in the keytab. If adcli derives the computer-name from the hostname it will automatically upper-case the name. If the computer-name is explicitly given at the command line or in realmd.conf it is taken as is. Do you think it would be ok to enhance the man page explaining the difference and saying that the name should be upper-case for maximal compatibility? About looking up principles case insensitive, according to the related RFCs Kerberos principal are case sensitive. Unfortunately AD implements this case insensitive which causes confusion at various places. bye, Sumit > > -Erinn > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: adcli behavior change with RHEL 7.7
Apologies, the issue is we moved from using winbind via realmd which now seems to be broken due to this: https://bugzilla.samba.org/show_bug.cgi?id=14007 to using adcli, our realmd.conf file had previously lower cased the computer-name like so: computer-name = example And samba apparently uppercased it on the join (EXAMPLE$). adcli appears not to do that (example$). After some long research it looks like lower case is entirely legit for NETBIOS names, but for whatever reason samba chooses to upper case the names. So the change in behavior was unexpected, but is valid. However, getting net ads join to work again in RHEL 7.7 is probably a good idea on Red Hat's part. In short I expected adcli to act like net ads join, it doesn't, the former will accept upper or lower case and probably anything in between, the latter upper cases the name. Solution was to upper case the name with ADCLI so that it matches what we had previously. Longer term solution is to be case insensitive when looking for a principle in the keytab. -Erinn ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: adcli behavior change with RHEL 7.7
On Thu, Aug 08, 2019 at 05:57:46PM -, Erinn Looney-Triggs wrote: > Previously when using adcli to join a RHEL <7.7 system to the AD principles > came out in this format: > EXAMPLE$@AD.DOMAIN.COM > > Now when doing a join with adcli we are getting principles in this format: > example$@AD.DOMAIN.COM Hi, I cannot reproduce this behavior with adcli-0.8.1-9.el7 which should be the version delivered with RHEL-7.7. Can you send the 'adcli join -v ...' output so that I can compare what might be different on my test system? Feel free to send it to me directly if you do not want to share it on the list. bye, Sumit > > Is this still a legal NETBIOS name? I mean I know it can work, it is just a > string from kerbs perspective, but I was under the impression that the AD was > pretty specific about what it expected the host principle to be. I am still > digging into this, but so far this has broken some of our kerb code and it > appears to have broken adcli update as well because it is looking for the > uppercase principle while only the lower case principle is available in the > keytab. > > Thanks, > -Erinn > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: adcli behavior change with RHEL 7.7
Out of curiosity, why are you happy to see this change? -Erinn On 8/8/19 12:21 PM, James Cassell wrote: > On Thu, Aug 8, 2019, at 1:58 PM, Erinn Looney-Triggs wrote: >> Previously when using adcli to join a RHEL <7.7 system to the AD >> principles came out in this format: >> EXAMPLE$@AD.DOMAIN.COM >> >> Now when doing a join with adcli we are getting principles in this format: >> example$@AD.DOMAIN.COM >> >> Is this still a legal NETBIOS name? I mean I know it can work, it is >> just a string from kerbs perspective, but I was under the impression >> that the AD was pretty specific about what it expected the host >> principle to be. I am still digging into this, but so far this has >> broken some of our kerb code and it appears to have broken adcli update >> as well because it is looking for the uppercase principle while only >> the lower case principle is available in the keytab. >> > I'm very happy to see this change. This closely matches with how winbind > previously would to do the joins. > > I don't know the answer to your specific question, but I am happy about the > change. > > V/r, > James Cassell > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: adcli behavior change with RHEL 7.7
On Thu, Aug 8, 2019, at 1:58 PM, Erinn Looney-Triggs wrote: > Previously when using adcli to join a RHEL <7.7 system to the AD > principles came out in this format: > EXAMPLE$@AD.DOMAIN.COM > > Now when doing a join with adcli we are getting principles in this format: > example$@AD.DOMAIN.COM > > Is this still a legal NETBIOS name? I mean I know it can work, it is > just a string from kerbs perspective, but I was under the impression > that the AD was pretty specific about what it expected the host > principle to be. I am still digging into this, but so far this has > broken some of our kerb code and it appears to have broken adcli update > as well because it is looking for the uppercase principle while only > the lower case principle is available in the keytab. > I'm very happy to see this change. This closely matches with how winbind previously would to do the joins. I don't know the answer to your specific question, but I am happy about the change. V/r, James Cassell ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
