adcli using ldap:// (not ldaps://) for discovery (NetLogon ping) even when --use-ldaps is used
Current adcli still uses plain text ldap on port 389 for the LDAP ping (NetLogon base search). I was wondering if this was a requirement from the CLDAP days (via UDP), but at least today those searches seem to work fine with ldaps:// and an anonymous bind:
# ldapsearch -o ldif_wrap=no -x -LLL -s base -b "" -H ldaps://WIN-KRIET1E5ELO.internal.example.fake '(&(DnsDomain=INTERNAL.EXAMPLE.FAKE)(NtVer=\06\00\00\02))' NetLogon
dn:
netlogon:: FwAAAP3zAwBx2l+9Hl8GSramUWvHAA/iCGludGVybmFsB2V4YW1wbGUEZmFrZQDAGA9XSU4tS1JJRVQxRTVFTE/AGApJTlRFWEFNUExFAA9XSU4tS1JJRVQxRTVFTE8AABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAYQUAAAD/////When blocking port 389/tcp, and using realmd, the join fails:
# realm join -v --use-ldaps INTERNAL.EXAMPLE.FAKE
* Resolving: _ldap._tcp.internal.example.fake
* Performing LDAP DSE lookup on: 10.0.16.5
* Successfully discovered: internal.example.fake
Password for Administrator:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain internal.example.fake --domain-realm INTERNAL.EXAMPLE.FAKE --use-ldaps --domain-controller 10.0.16.5 --login-type user --login-user Administrator --stdin-password
* Using domain name: internal.example.fake
* Calculated computer account name from fqdn: J-ADCLI-REALMD
* Using domain realm: internal.example.fake
* Sending NetLogon ping to domain controller: 10.0.16.5
! Couldn't perform discovery search: Can't contact LDAP server
* Using LDAPS to connect to 10.0.16.5
! Couldn't initialize TLS [Connect error]: (unknown error code)
adcli: couldn't connect to internal.example.fake domain: Couldn't initialize TLS [Connect error]: (unknown error code)
! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain
root@j-adcli-realmd:~# echo $?
1