Public bug reported: Hello,
i use a typical setup with sssd/realmd to integrate some of my machines into MS Active Directory. sssd triggers adcli to update machine password in Active Directory. On 2020-12-02 my systems updated adcli from 0.8.2-1 to 0.8.2-1ubuntu1, since that date no keytab renewal is possible. I downgraded adcli package and it worked again, which avoids danger of being thrown out of AD. This is a succesful adcli output, the arguments are captured directly from sssd: adcli update --domain=mydomain.de --host-fqdn=Hostname --computer-password-lifetime=30 --domain-controller=mydc.mydomain.de --verbose * Found realm in keytab: mydomain.de * Found computer name in keytab: Hostname * Found service principal in keytab: host/Hostname * Found service principal in keytab: host/Hostname * Found service principal in keytab: HTTP/Hostname * Found service principal in keytab: RestrictedKrbHost/Hostname * Found service principal in keytab: HTTP/Hostname.mydomain.de * Using fully qualified name: Hostname * Using domain name: mydomain.de * Calculated computer account name from fqdn: Hostname * Using domain realm: mydomain.de * Sending netlogon pings to domain controller: cldap://xx.xx.xx.xx * Received NetLogon info from: mydc.mydomain.de * Wrote out krb5.conf snippet to /tmp/adcli-krb5-wfQWOb/krb5.d/adcli-krb5-conf-5agnpJ * Authenticated as default/reset computer account: Hostname * Looked up short domain name: SHORTDOMAIn * Using fully qualified name: Hostname * Using domain name: mydomain.de * Using computer account name: Hostname * Using domain realm: mydomain.de * Enrolling computer name: Hostname * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for Hostname$ at: xxx * Retrieved kvno '12' for computer account in directory: xxx * Changed computer password * kvno incremented to 13 * Modifying computer account: userAccountControl ! Couldn't set userAccountControl on computer account: xxx * Updated existing computer account: xxx * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Discovered which keytab salt to use * Added the entries to the keytab: [email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: HTTP/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: HTTP/[email protected]: FILE:/etc/krb5.keytab And this is the unsuccesful output of adcli 0.8.2-1ubuntu1 adcli update --domain=mydomain.de --host-fqdn=Hostname --computer-password-lifetime=30 --domain-controller=mydc.mydomain.de --verbose * Found realm in keytab: mydomain.de * Found computer name in keytab: Hostname * Found service principal in keytab: host/Hostname * Found service principal in keytab: host/Hostname * Found service principal in keytab: HTTP/Hostname * Found service principal in keytab: RestrictedKrbHost/Hostname * Found service principal in keytab: HTTP/Hostname.mydomain.de * Using fully qualified name: Hostname * Using domain name: mydomain.de * Calculated computer account name from fqdn: Hostname * Using domain realm: mydomain.de * Sending netlogon pings to domain controller: cldap://xx.xx.xx.xx * Received NetLogon info from: mydc.mydomain.de * Wrote out krb5.conf snippet to /tmp/adcli-krb5-q8rbQD/krb5.d/adcli-krb5-conf-ZzzByW * Authenticated as default/reset computer account: Hostname * Using GSS-SPNEGO for SASL bind ! Couldn't lookup domain short name: Can't contact LDAP server * Using fully qualified name: Hostname * Using domain name: mydomain.de * Using computer account name: Hostname * Using domain realm: mydomain.de * Enrolling computer name: Hostname * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab ! Couldn't lookup computer account: Hostname$: Can't contact LDAP server adcli: updating membership with domain mydomain.de failed: Couldn't lookup computer account: Hostname$: Can't contact LDAP server So whats wrong here? I think there is no real problem of contacting DomainController. May be adcli needs some more Arguments, but adcli is triggered directly by sssd. Thanks for your help, Hajo ** Affects: adcli (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1909580 Title: adcli not updating keytabs since 0.8.2-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1909580/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
