If you suspect adcli you can try git:
https://cgit.freedesktop.org/realmd/adcli/log/
It was over a year since 0.9.0 was released.
On Fri, 2020-11-20 at 10:03 -0600, Spike White wrote:
All,
This is just an annoyance that occurs periodically and we can't figure out why. We
know how to remediate once seen.
Every now and then, on a new build the sssd join/configure will fail. For example, a
server provisioner today built 10 boxes and 2 failed. Upon closer inspection, we see that
AD domain has machine accounts with funky names.
For example, these three VMs were built. ausflinfsfdcap01 - 03. 01 and 02 built fine,
sssd installed, adcli join succeeded, life was good. We find the usual machine accounts
in the usual OU.
CN=ausflinfsfdcap01, CN=ausflinfsfdcap02
On 03, the adcli join failed. In AD, we find the following funky machine accounts (in the
usual OU):
CN=AUSFLINFSFDCAP0\0ACNF:5020ab3d-243a-4ef1-827b-d421c0dcf3d0
CN=AUSFLINFSFDCAP0
This first machine account name is fairly typical when this failure occurs. This second
I've never seen this particular type of funky name server. I.e., a truncated
hostname.
When I try adcli join again right now, it will fail (because of these funky named machine
accounts).
I delete these funky machine accounts via ldapdelete. Example:
ldapdelete -H
ldap://ausdcamer.example.com<https://nam11.safelinks.protection.outloo...
'CN=AUSFLINFSFDCAP0\0ACNF:5020ab3d-243a-4ef1-827b-d421c0dcf3d0,OU=Servers,OU=UNIX,DC=example,DC=com'
then I delete /etc/krb5.keytab file (if it exists) and re-run the adcli join -- which then
succeeds.
So like I say -- we know how to work around this failure mode. It's just a nuisance
at this point. Usually occurs << 10% of builds.
But does anyone know why these funky-named machine accounts arise? And how to avoid
this?
Spike
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...