Public bug reported:
Package: adcli
Version: 0.8.2-1ubuntu1
Release: Ubuntu 18.04 LTS
When trying to join the domain with this new version of adcli, it gets
to the point of 'Using GSS-SPNEGO for SASL bind' and then it will not do
anything for 10 minutes. It will then fail, complaining it can't reach
the LDAP server.
Logs:
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Authenticated as user:
domain-join-acco...@domain.com
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Authenticated as user:
domain-join-acco...@domain.com
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Using GSS-SPNEGO for
SASL bind
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Using GSS-SPNEGO for
SASL bind
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup domain
short name: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup domain
short name: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using fully qualified
name: example001.domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using fully qualified
name: example001.domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain name:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain name:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using computer account
name: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using computer account
name: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain realm:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain realm:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Calculated computer
account name from fqdn: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Calculated computer
account name from fqdn: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * With user principal:
host/example001.domain....@domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * With user principal:
host/example001.domain....@domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Generated 120 character
computer password
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Generated 120 character
computer password
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using keytab:
FILE:/etc/krb5.keytab
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using keytab:
FILE:/etc/krb5.keytab
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup computer
account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup computer
account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain
domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact
LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain
domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact
LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: process exited: 6459
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Failed to join the domain
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Failed to join the domain
On the network level, adcli gets to the point of send an ldap query to
the domain controller and the domain controller returns an ack tcp
packet, but then there is no more traffic between the domain controller
and the server except for ntp packets until it fails.
The domain controller traffic also shows that it is receiving the ldap
query packet from the server but it never sends a reply and there is no
log in directory services regarding the query. We also couldn't find
anything in procmon regarding this query either.
Workaround/Fix:
Downgrading the adcli package back to version 0.8.2-1 fixes the issues and
domain join works properly again.
** Affects: adcli (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1906627
Title:
adcli fails, can't contact LDAP server
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
