[Bug 1905000] Re: realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

Alexander Fieroch Fri, 27 Nov 2020 06:11:12 -0800

Our dhcp sets clients with dynamically configured ip into a subdomain
.client.DOMAIN, while clients with static ip go to .DOMAIN.


Example:
I join clients to AD using sssd for authentication.
realm join --automatic-id-mapping=no --membership-software=adcli DOMAIN

The FQDN for this client is:  kubuntu-lts.client.mpi-dortmund.mpg.de

realm sets correct keytab entries with correct FQDN including subdomain
.client:

root@kubuntu-lts:/etc/sssd# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 host/kubuntu-...@mpi-dortmund.mpg.de (arcfour-hmac) 
   2 host/kubuntu-...@mpi-dortmund.mpg.de (aes128-cts-hmac-sha1-96) 
   2 host/kubuntu-...@mpi-dortmund.mpg.de (aes256-cts-hmac-sha1-96) 
   2 host/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(arcfour-hmac) 
   2 host/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 host/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   2 RestrictedKrbHost/kubuntu-...@mpi-dortmund.mpg.de (arcfour-hmac) 
   2 RestrictedKrbHost/kubuntu-...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 RestrictedKrbHost/kubuntu-...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   2 
RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(arcfour-hmac) 
   2 
RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 
RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 


Now joining the same test VM using winbind for authentication.
realm join --automatic-id-mapping=no --membership-software=samba 
--client-software=winbind DOMAIN

The FQDN for this client is still:  kubuntu-lts.client.mpi-
dortmund.mpg.de

realm sets incorrect keytab entries without subdomain .client:

root@kubuntu-lts:/etc/sssd# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 restrictedkrbhost/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(etype 1) 
   4 restrictedkrbhost/kubuntu-...@mpi-dortmund.mpg.de (etype 1) 
   4 restrictedkrbhost/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(etype 3) 
   4 restrictedkrbhost/kubuntu-...@mpi-dortmund.mpg.de (etype 3) 
   4 restrictedkrbhost/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   4 restrictedkrbhost/kubuntu-...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   4 restrictedkrbhost/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   4 restrictedkrbhost/kubuntu-...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   4 restrictedkrbhost/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(arcfour-hmac) 
   4 restrictedkrbhost/kubuntu-...@mpi-dortmund.mpg.de (arcfour-hmac) 
   4 host/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (etype 1) 
   4 host/kubuntu-...@mpi-dortmund.mpg.de (etype 1) 
   4 host/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (etype 3) 
   4 host/kubuntu-...@mpi-dortmund.mpg.de (etype 3) 
   4 host/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   4 host/kubuntu-...@mpi-dortmund.mpg.de (aes128-cts-hmac-sha1-96) 
   4 host/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   4 host/kubuntu-...@mpi-dortmund.mpg.de (aes256-cts-hmac-sha1-96) 
   4 host/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (arcfour-hmac) 
   4 host/kubuntu-...@mpi-dortmund.mpg.de (arcfour-hmac) 
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (etype 1) 
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (etype 3) 
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   4 cifs/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (etype 1) 
   4 cifs/kubuntu-...@mpi-dortmund.mpg.de (etype 1) 
   4 cifs/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (etype 3) 
   4 cifs/kubuntu-...@mpi-dortmund.mpg.de (etype 3) 
   4 cifs/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   4 cifs/kubuntu-...@mpi-dortmund.mpg.de (aes128-cts-hmac-sha1-96) 
   4 cifs/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   4 cifs/kubuntu-...@mpi-dortmund.mpg.de (aes256-cts-hmac-sha1-96) 
   4 cifs/kubuntu-lts.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (arcfour-hmac) 
   4 cifs/kubuntu-...@mpi-dortmund.mpg.de (arcfour-hmac) 


If you need any other information, let me know.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1905000

Title:
  realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1905000/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1905000] Re: realm join DOMAIN (samba) sets wrong krb5.keytab (missing subdomain)

Reply via email to