Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.2
Affects Version/s: rhel-7.9.z
Component/s: adcli
Labels:

Fixed in Build:
adcli-0.9.3.1-1.el10
Regression:
None
Severity:
Low
Epic Link:
IDM-4327
AssignedTeam:
rhel-idm-sssd
Sub-System Group:

ssg_idm

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Git Pull Request:
https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/64
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/157535
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.`adcli` correctly identifies machine account principals in multi-realm keytabs

Before this update, when connecting to a domain to update a password, `adcli` always used the Kerberos realm of the first entry in the keytab file. As a consequence, on systems where the keytab contained multiple realms, the renewal process failed with a "no suitable keys" error if the required realm was not listed first. With this release, `adcli` searches the keytab for a principal that matches the target domain. As a result, machine account password renewals now succeed regardless of the order of entries in the keytab.

Show
.`adcli` correctly identifies machine account principals in multi-realm keytabs Before this update, when connecting to a domain to update a password, `adcli` always used the Kerberos realm of the first entry in the keytab file. As a consequence, on systems where the keytab contained multiple realms, the renewal process failed with a "no suitable keys" error if the required realm was not listed first. With this release, `adcli` searches the keytab for a principal that matches the target domain. As a result, machine account password renewals now succeed regardless of the order of entries in the keytab.
Release Note Status:
Done

Experience:
Architecture:

All
Bugzilla Bug:
RHBZ: 2216950

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

Description of problem:
adcli does not update the machine account password correctly.

Version-Release number of selected component (if applicable):
adcli-0.8.1-16.el7_9.1.x86_64

How reproducible:
Always

Steps to Reproduce:
[1] Integrate the system with AD using SSSD.

[2] The adcli does not renew machine account password properly. It fails with -

---------
sssd_csin.cz.log:(2023-06-21 10:12:44): [be[csin.cz]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
sssd_csin.cz.log:(2023-06-21 10:12:44): [be[csin.cz]] [ad_machine_account_password_renewal_done] (0x1000): — adcli output start---
sssd_csin.cz.log: ! Couldn't get kerberos ticket for machine account: ZPMEPSP01: Keytab contains no suitable keys for ZPMEPSP01$@VS.CSIN.CZ
sssd_csin.cz.log:adcli: couldn't connect to csin.cz domain: Couldn't get kerberos ticket for machine account: ZPMEPSP01: Keytab contains no suitable keys for ZPMEPSP01$@VS.CSIN.CZ
sssd_csin.cz.log:(2023-06-21 10:12:44): [be[csin.cz]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
sssd_csin.cz.log:(2023-06-21 10:12:44): [be[csin.cz]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last execution time [1687421564]
---------

Here we can see that, adcli is trying to lookup for ZPMEPSP01$@VS.CSIN.CZ key in the keytab file but the hostname of the system is mentioned in the sssd.conf file as

ad_hostname = zpmepsp01.csin.cz

Even manually updating the machine account password fails with -

root@ppspeas03 (A) :~$ adcli update --verbose --domain=csin.cz --host-fqdn=ppspeas03.csin.cz

Found realm in keytab: VS.CSIN.CZ
Found service principal in keytab: host/ppspeas03.vs.csin.cz
Found host qualified name in keytab: ppspeas03.vs.csin.cz
Found service principal in keytab: host/ppspeas03-d.vs.csin.cz
Found service principal in keytab: host/ppspeas03-d2.vs.csin.cz
Found service principal in keytab: host/ppspeas03-m.vs.csin.cz
Using fully qualified name: ppspeas03.csin.cz
Using domain name: csin.cz
Calculated computer account name from fqdn: PPSPEAS03
Using domain realm: csin.cz
Discovering domain controllers: _ldap._tcp.csin.cz
Sending NetLogon ping to domain controller: pp1windc2001.csin.cz
Received NetLogon info from: pp1windc2001.csin.cz
Wrote out krb5.conf snippet to /tmp/adcli-krb5-7YiNVZ/krb5.d/adcli-krb5-conf-NoQDY7
! Couldn't get kerberos ticket for machine account: PPSPEAS03: Keytab contains no suitable keys for PPSPEAS03$@VS.CSIN.CZ
adcli: couldn't connect to csin.cz domain: Couldn't get kerberos ticket for machine account: PPSPEAS03: Keytab contains no suitable keys for PPSPEAS03$@VS.CSIN.CZ

Customer has the following principals in the keytab file -

root@zpmepsp01 (A) :~$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/zpmepsp01.vs.csin.cz@VS.CSIN.CZ
2 host/zpmepsp01-d.vs.csin.cz@VS.CSIN.CZ
2 host/zpmepsp01-m.vs.csin.cz@VS.CSIN.CZ
2 ZPMEPSP01$@CSIN.CZ
2 ZPMEPSP01$@CSIN.CZ
2 ZPMEPSP01$@CSIN.CZ
2 host/ZPMEPSP01@CSIN.CZ
2 host/ZPMEPSP01@CSIN.CZ
2 host/ZPMEPSP01@CSIN.CZ
2 host/zpmepsp01.csin.cz@CSIN.CZ
2 host/zpmepsp01.csin.cz@CSIN.CZ
2 host/zpmepsp01.csin.cz@CSIN.CZ
2 RestrictedKrbHost/ZPMEPSP01@CSIN.CZ
2 RestrictedKrbHost/ZPMEPSP01@CSIN.CZ
2 RestrictedKrbHost/ZPMEPSP01@CSIN.CZ
2 RestrictedKrbHost/zpmepsp01.csin.cz@CSIN.CZ
2 RestrictedKrbHost/zpmepsp01.csin.cz@CSIN.CZ
2 RestrictedKrbHost/zpmepsp01.csin.cz@CSIN.CZ

If we change the order of the principals available in the keytab file using ktutil, adcli finds the correct principal for CSIN.CZ and successfully renews the machine account password.

Additional info:
Filing this report as suggested by Sumit here - https://groups.google.com/a/redhat.com/g/idm-tech/c/jtSry1xUZ38

external trackers

Red Hat Customer Portal 03543669

Red Hat Issue Tracker RHELPLAN-160553

Red Hat Issue Tracker SSSD-6716

links to

RHBA-2025:157535 adcli update

Assignee:: Sumit Bose

Reporter:: Prasad Kulkarni

Developer:: Sumit Bose

QA Contact:: Shridhar Gadekar

Doc Contact:: Dominika Borges

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/09/07 1:58 PM

Updated:: 2026/03/05 11:35 AM

Next Planned Release Date:: 2026/05/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates