Previously when using adcli to join a RHEL <7.7 system to the AD principles came out in this format: EXAMPLE$@AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format: example$@AD.DOMAIN.COM
Is this still a legal NETBIOS name? I mean I know it can work, it is just a string from kerbs perspective, but I was under the impression that the AD was pretty specific about what it expected the host principle to be. I am still digging into this, but so far this has broken some of our kerb code and it appears to have broken adcli update as well because it is looking for the uppercase principle while only the lower case principle is available in the keytab.
Thanks, -Erinn
On Thu, Aug 8, 2019, at 1:58 PM, Erinn Looney-Triggs wrote:
Previously when using adcli to join a RHEL <7.7 system to the AD principles came out in this format: EXAMPLE$@AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format: example$@AD.DOMAIN.COM
Is this still a legal NETBIOS name? I mean I know it can work, it is just a string from kerbs perspective, but I was under the impression that the AD was pretty specific about what it expected the host principle to be. I am still digging into this, but so far this has broken some of our kerb code and it appears to have broken adcli update as well because it is looking for the uppercase principle while only the lower case principle is available in the keytab.
I'm very happy to see this change. This closely matches with how winbind previously would to do the joins.
I don't know the answer to your specific question, but I am happy about the change.
V/r, James Cassell
Out of curiosity, why are you happy to see this change?
-Erinn
On 8/8/19 12:21 PM, James Cassell wrote:
On Thu, Aug 8, 2019, at 1:58 PM, Erinn Looney-Triggs wrote:
Previously when using adcli to join a RHEL <7.7 system to the AD principles came out in this format: EXAMPLE$@AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format: example$@AD.DOMAIN.COM
Is this still a legal NETBIOS name? I mean I know it can work, it is just a string from kerbs perspective, but I was under the impression that the AD was pretty specific about what it expected the host principle to be. I am still digging into this, but so far this has broken some of our kerb code and it appears to have broken adcli update as well because it is looking for the uppercase principle while only the lower case principle is available in the keytab.
I'm very happy to see this change. This closely matches with how winbind previously would to do the joins.
I don't know the answer to your specific question, but I am happy about the change.
V/r, James Cassell _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Aug 08, 2019 at 05:57:46PM -0000, Erinn Looney-Triggs wrote:
Previously when using adcli to join a RHEL <7.7 system to the AD principles came out in this format: EXAMPLE$@AD.DOMAIN.COM
Now when doing a join with adcli we are getting principles in this format: example$@AD.DOMAIN.COM
Hi,
I cannot reproduce this behavior with adcli-0.8.1-9.el7 which should be the version delivered with RHEL-7.7. Can you send the 'adcli join -v ...' output so that I can compare what might be different on my test system? Feel free to send it to me directly if you do not want to share it on the list.
bye, Sumit
Is this still a legal NETBIOS name? I mean I know it can work, it is just a string from kerbs perspective, but I was under the impression that the AD was pretty specific about what it expected the host principle to be. I am still digging into this, but so far this has broken some of our kerb code and it appears to have broken adcli update as well because it is looking for the uppercase principle while only the lower case principle is available in the keytab.
Thanks, -Erinn _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Apologies, the issue is we moved from using winbind via realmd which now seems to be broken due to this: https://bugzilla.samba.org/show_bug.cgi?id=14007 to using adcli, our realmd.conf file had previously lower cased the computer-name like so:
computer-name = example
And samba apparently uppercased it on the join (EXAMPLE$). adcli appears not to do that (example$). After some long research it looks like lower case is entirely legit for NETBIOS names, but for whatever reason samba chooses to upper case the names.
So the change in behavior was unexpected, but is valid. However, getting net ads join to work again in RHEL 7.7 is probably a good idea on Red Hat's part.
In short I expected adcli to act like net ads join, it doesn't, the former will accept upper or lower case and probably anything in between, the latter upper cases the name. Solution was to upper case the name with ADCLI so that it matches what we had previously. Longer term solution is to be case insensitive when looking for a principle in the keytab.
-Erinn
On Mon, Aug 12, 2019 at 09:41:31PM -0000, Erinn Looney-Triggs wrote:
Apologies, the issue is we moved from using winbind via realmd which now seems to be broken due to this: https://bugzilla.samba.org/show_bug.cgi?id=14007 to using adcli, our realmd.conf file had previously lower cased the computer-name like so:
computer-name = example
Hi,
thank's for the explanation.
And samba apparently uppercased it on the join (EXAMPLE$). adcli appears not to do that (example$). After some long research it looks like lower case is entirely legit for NETBIOS names, but for whatever reason samba chooses to upper case the names.
Yes, lower-case characters are valid in NetBIOS names, the all upper-case style is a historic convention.
So the change in behavior was unexpected, but is valid. However, getting net ads join to work again in RHEL 7.7 is probably a good idea on Red Hat's part.
In short I expected adcli to act like net ads join, it doesn't, the former will accept upper or lower case and probably anything in between, the latter upper cases the name. Solution was to upper case the name with ADCLI so that it matches what we had previously. Longer term solution is to be case insensitive when looking for a principle in the keytab.
If adcli derives the computer-name from the hostname it will automatically upper-case the name. If the computer-name is explicitly given at the command line or in realmd.conf it is taken as is. Do you think it would be ok to enhance the man page explaining the difference and saying that the name should be upper-case for maximal compatibility?
About looking up principles case insensitive, according to the related RFCs Kerberos principal are case sensitive. Unfortunately AD implements this case insensitive which causes confusion at various places.
bye, Sumit
-Erinn _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Erinn Looney-Triggs -
James Cassell -
Sumit Bose