12:57 p.m.
Previously when using adcli to join a RHEL <7.7 system to the AD principles came out in
this format:
EXAMPLE$(a)AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format:
example$(a)AD.DOMAIN.COM
Is this still a legal NETBIOS name? I mean I know it can work, it is just a string from
kerbs perspective, but I was under the impression that the AD was pretty specific about
what it expected the host principle to be. I am still digging into this, but so far this
has broken some of our kerb code and it appears to have broken adcli update as well
because it is looking for the uppercase principle while only the lower case principle is
available in the keytab.
Thanks,
-Erinn
1:21 p.m.
On Thu, Aug 8, 2019, at 1:58 PM, Erinn Looney-Triggs wrote:
Previously when using adcli to join a RHEL <7.7 system to the AD
principles came out in this format:
EXAMPLE$(a)AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format:
example$(a)AD.DOMAIN.COM
Is this still a legal NETBIOS name? I mean I know it can work, it is
just a string from kerbs perspective, but I was under the impression
that the AD was pretty specific about what it expected the host
principle to be. I am still digging into this, but so far this has
broken some of our kerb code and it appears to have broken adcli update
as well because it is looking for the uppercase principle while only
the lower case principle is available in the keytab.
I'm very happy to see this change. This closely matches with how winbind previously
would to do the joins.
I don't know the answer to your specific question, but I am happy about the change.
V/r,
James Cassell
2:05 p.m.
Out of curiosity, why are you happy to see this change?
-Erinn
On 8/8/19 12:21 PM, James Cassell wrote:
> On Thu, Aug 8, 2019, at 1:58 PM, Erinn Looney-Triggs wrote:
>> Previously when using adcli to join a RHEL <7.7 system to the AD
>> principles came out in this format:
>> EXAMPLE$(a)AD.DOMAIN.COM
>>
>> Now when doing a join with adcli we are getting principles in this format:
>> example$(a)AD.DOMAIN.COM
>>
>> Is this still a legal NETBIOS name? I mean I know it can work, it is
>> just a string from kerbs perspective, but I was under the impression
>> that the AD was pretty specific about what it expected the host
>> principle to be. I am still digging into this, but so far this has
>> broken some of our kerb code and it appears to have broken adcli update
>> as well because it is looking for the uppercase principle while only
>> the lower case principle is available in the keytab.
>>
> I'm very happy to see this change. This closely matches with how winbind
previously would to do the joins.
>
> I don't know the answer to your specific question, but I am happy about the
change.
>
> V/r,
> James Cassell
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1:21 a.m.
On Thu, Aug 08, 2019 at 05:57:46PM -0000, Erinn Looney-Triggs wrote:
Previously when using adcli to join a RHEL <7.7 system to the AD
principles came out in this format:
EXAMPLE$(a)AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format:
example$(a)AD.DOMAIN.COM
Hi,
I cannot reproduce this behavior with adcli-0.8.1-9.el7 which should be
the version delivered with RHEL-7.7. Can you send the 'adcli join -v
...' output so that I can compare what might be different on my test
system? Feel free to send it to me directly if you do not want to share
it on the list.
bye,
Sumit
>
> Is this still a legal NETBIOS name? I mean I know it can work, it is just a string
from kerbs perspective, but I was under the impression that the AD was pretty specific
about what it expected the host principle to be. I am still digging into this, but so far
this has broken some of our kerb code and it appears to have broken adcli update as well
because it is looking for the uppercase principle while only the lower case principle is
available in the keytab.
>
> Thanks,
> -Erinn
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
4:41 p.m.
Apologies, the issue is we moved from using winbind via realmd which now seems to be
broken due to this: https://bugzilla.samba.org/show_bug.cgi?id=14007 to using adcli, our
realmd.conf file had previously lower cased the computer-name like so:
computer-name = example
And samba apparently uppercased it on the join (EXAMPLE$). adcli appears not to do that
(example$). After some long research it looks like lower case is entirely legit for
NETBIOS names, but for whatever reason samba chooses to upper case the names.
So the change in behavior was unexpected, but is valid. However, getting net ads join to
work again in RHEL 7.7 is probably a good idea on Red Hat's part.
In short I expected adcli to act like net ads join, it doesn't, the former will accept
upper or lower case and probably anything in between, the latter upper cases the name.
Solution was to upper case the name with ADCLI so that it matches what we had previously.
Longer term solution is to be case insensitive when looking for a principle in the
keytab.
-Erinn
1:30 a.m.
On Mon, Aug 12, 2019 at 09:41:31PM -0000, Erinn Looney-Triggs wrote:
Apologies, the issue is we moved from using winbind via realmd which
now seems to be broken due to this: https://bugzilla.samba.org/show_bug.cgi?id=14007 to
using adcli, our realmd.conf file had previously lower cased the computer-name like so:
computer-name = example
Hi,
thank's for the explanation.
And samba apparently uppercased it on the join (EXAMPLE$). adcli appears not to do that
(example$). After some long research it looks like lower case is entirely legit for
NETBIOS names, but for whatever reason samba chooses to upper case the names.
Yes, lower-case characters are valid in NetBIOS names, the all
upper-case style is a historic convention.
So the change in behavior was unexpected, but is valid. However, getting net ads join to
work again in RHEL 7.7 is probably a good idea on Red Hat's part.
In short I expected adcli to act like net ads join, it doesn't, the former will
accept upper or lower case and probably anything in between, the latter upper cases the
name. Solution was to upper case the name with ADCLI so that it matches what we had
previously. Longer term solution is to be case insensitive when looking for a principle in
the keytab.
If adcli derives the computer-name from the hostname it will
automatically upper-case the name. If the computer-name is explicitly
given at the command line or in realmd.conf it is taken as is. Do you
think it would be ok to enhance the man page explaining the difference
and saying that the name should be upper-case for maximal compatibility?
About looking up principles case insensitive, according to the related
RFCs Kerberos principal are case sensitive. Unfortunately AD implements
this case insensitive which causes confusion at various places.
bye,
Sumit
>
> -Erinn
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1716
days inactive
1721
days old
sssd-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
Erinn Looney-Triggs -
James Cassell -
Sumit Bose