[Bug 1905000] [NEW] realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

Alexander Fieroch Fri, 20 Nov 2020 02:00:56 -0800

Public bug reported:

I'm not sure if this bug is in package realmd, samba or winbind.


Joining to a AD domain with realm (using samba and winbind for authentication) 
sets wrong entries in krb5.keytab.
Our clients are in a subdomain HOSTNAME.CLIENT.DOMAIN. After joining the keytab 
entries point to HOSTNAME.DOMAIN.


I join clients with:

  realm join -v --automatic-id-mapping=no --membership-software=samba
--client-software=winbind DOMAIN


wrong keytab:

root@kubuntu-latest:~# klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 19.11.2020 16:48:31 restrictedkrbhost/kubuntu-latest.domain@DOMAIN 
(aes256-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 restrictedkrbhost/KUBUNTU-LATEST@DOMAIN 
(aes256-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 restrictedkrbhost/kubuntu-latest.domain@DOMAIN 
(aes128-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 restrictedkrbhost/KUBUNTU-LATEST@DOMAIN 
(aes128-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 restrictedkrbhost/kubuntu-latest.domain@DOMAIN 
(arcfour-hmac) 
   1 19.11.2020 16:48:31 restrictedkrbhost/KUBUNTU-LATEST@DOMAIN (arcfour-hmac) 
   1 19.11.2020 16:48:31 host/kubuntu-latest.domain@DOMAIN 
(aes256-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 host/KUBUNTU-LATEST@DOMAIN (aes256-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 host/kubuntu-latest.domain@DOMAIN 
(aes128-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 host/KUBUNTU-LATEST@DOMAIN (aes128-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 host/kubuntu-latest.domain@DOMAIN (arcfour-hmac) 
   1 19.11.2020 16:48:31 host/KUBUNTU-LATEST@DOMAIN (arcfour-hmac) 
   1 19.11.2020 16:48:31 KUBUNTU-LATEST$@DOMAIN (aes256-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 KUBUNTU-LATEST$@DOMAIN (aes128-cts-hmac-sha1-96) 
   1 19.11.2020 16:48:31 KUBUNTU-LATEST$@DOMAIN (arcfour-hmac) 


host is in subdomain kubuntu-latest.client.domain:


root@kubuntu-latest:~# nslookup kubuntu-latest
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   kubuntu-latest.client.domain


I also recognized the ldap attribute "dNSHostName" for this machine
account in AD is set to the incorrect FQDN: kubuntu-latest.domain


If I set the system to use SSSD instead of winbind and join with
  realm join --membership-software=adcli --client-software=sssd
the krb5.keytab is set correctly with subdomain.
But I need winbind...


Tested with:
Ubuntu 20.10
realmd 0.16.3-3ubuntu1
samba  2:4.12.5+dfsg-3ubuntu4.1

** Affects: realmd (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: domain keytab ralm samba winbind

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905000

Title:
  realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1905000/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1905000] [NEW] realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

Reply via email to