-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-8.10
-
adcli-0.9.3.1-1.el10
-
No
-
Low
-
rhel-idm-sssd
-
ssg_idm
-
1
-
False
-
False
-
-
No
-
None
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
What were you trying to do that didn't work?
adcli should reset the DES encryption flag at the time of joining AD domain if DES was set on computer object.
If UF_USE_DES_KEY_ONLY is set on computer object on AD reset this flag while joining the domain using `adcli`
For details refer to https://mail.google.com/mail/u/0/#sent/QgrcJHrhsvdXTJCwGWCplXtZRBJFGDrfTKG
Please provide the package NVR for which bug is seen:
How reproducible:
Steps to reproduce
- Create a computer object in the name of linux machine on AD side and enable DES encryption.
- Try to join using adcli
Expected results
Reset the DES flag
Actual results
Join output
Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli LANG=C /usr/sbin/adcli join -verbose --domain REDHAT.COMdomain-realm REDHAT.COM-domain-controller 10.x.x.x --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-496FQ2 Using domain name: REDHAT.COM Calculated computer account name from fqdn: TESTBOX Using domain realm: REDHAT.COM Sending NetLogon ping to domain controller: 10.x.x.x Received NetLogon info from: AD1.REDHAT.COM Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-NZeIYW/krb5.d/adcli-krb5-conf-Xy8Je5 Using GSS-SPNEGO for SASL bind Looked up short domain name: REDHAT Looked up domain SID: xxxx Received NetLogon info from: AD1.REDHAT.COM Using fully qualified name: TESTBOX.redhat.com Using domain name: REDHAT.COM Using computer account name: TESTBOX Using domain realm: REDHAT.COM Calculated computer account name from fqdn: TESTBOX Generated 120 character computer password Using keytab: FILE:/etc/krb5.keytab Found computer account for TESTBOX$ at: CN=xxx=com Trying to set computer password with Kerberos Set computer password Retrieved kvno '8' for computer account in directory: CN=TESTBOX,OU=Unix,OU=xxxxDC=com Checking RestrictedKrbHost/TESTBOX.xxx.com Added RestrictedKrbHost/TESTBOX.xxx.com Checking RestrictedKrbHost/TESTBOX Added RestrictedKrbHost/TESTBOX Checking host/TESTBOX.xxx.com Added host/TESTBOX.xxx.com Checking host/TESTBOX Added host/TESTBOX ! Couldn't authenticate with keytab while discovering which salt to use: TESTBOX$@REDHAT.COM: KDC has no support for encryption type <--- Added the entries to the keytab: TESTBOX$@REDHAT.COM: FILE:/etc/krb5.keytab Added the entries to the keytab: host/TESTBOX@REDHAT.COM: FILE:/etc/krb5.keytab Added the entries to the keytab: host/TESTBOX.xxx.com@REDHAT.COM: FILE:/etc/krb5.keytab Added the entries to the keytab: RestrictedKrbHost/TESTBOX@REDHAT.COM: FILE:/etc/krb5.keytab Added the entries to the keytab: RestrictedKrbHost/TESTBOX.xxx.com@REDHAT.COM: FILE:/etc/krb5.keytab /usr/bin/systemctl enable sssd.service Created symlink /etc/systemd/system/multi-user.target.wants/sssd.service → /usr/lib/systemd/system/sssd.service. /usr/bin/systemctl restart sssd.service /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Backup stored at /var/lib/authselect/backups/2024-07-04-10-24-23.WYHZ6t Profile "sssd" was selected.
Refer to https://mail.google.com/mail/u/0/#sent/QgrcJHrhsvdXTJCwGWCplXtZRBJFGDrfTKG
- links to
-
RHBA-2025:157535
adcli update