Skip to content

adcli not using fqdn

Submitted by Marc H. Thoben

Assigned to Stef Walter

Link to original bug (#86107)

Description

adcli uses gethostname() to determine the FQDN, which only returns a short hostname. Maybe that's a misconfiguration on my part (GNU/Debian, libc6 2.19)? Googling, though, makes me believe that gethostname() on its own never returns a FQDN. That causes an error when adcli tries to register 2 host principles (host/<netbiosname> & host/<fqdn>) in the servicePrincipleName attribute, which are equal to windows:

root@ahtest1:~# adcli join --verbose --domain mpipz.mpg.de --domain-realm MPIPZ.MPG.DE --domain-controller 10.1.0.224 --login-type user --login-user mthoben_local --prompt-password

  • Using domain name: mpipz.mpg.de

  • Calculated computer account name from fqdn: AHTEST1

  • Using domain realm: mpipz.mpg.de

  • Sending netlogon pings to domain controller: ldap://10.1.0.224

  • Received NetLogon info from: ficus.mpipz.mpg.de

  • Wrote out krb5.conf snippet to /tmp/adcli-krb5-klhkXh/krb5.d/adcli-krb5-conf-7YO8mq Password for mthoben_local@MPIPZ.MPG.DE:

  • Authenticated as user: mthoben_local@MPIPZ.MPG.DE

  • Looked up short domain name: MPIPZ

  • Using fully qualified name: ahtest1 <================================================

  • Using domain name: mpipz.mpg.de

  • Using computer account name: AHTEST1

  • Using domain realm: mpipz.mpg.de

  • Calculated computer account name from fqdn: AHTEST1

  • Generated 120 character computer password

  • Using keytab: FILE:/etc/krb5.keytab

  • Using fully qualified name: ahtest1

  • Using domain name: mpipz.mpg.de

  • Using computer account name: AHTEST1

  • Using domain realm: mpipz.mpg.de

  • Looked up short domain name: MPIPZ

  • Computer account for AHTEST1$ does not exist

  • Found well known computer container at: CN=Computers,DC=mpipz,DC=mpg,DC=de

  • Calculated computer account: CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de

  • Created computer account: CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de

  • Set computer password

  • Retrieved kvno '2' for computer account in directory: CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de

  • Modifying computer account: dNSHostName

  • Modifying computer account: userAccountControl

  • Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack

  • Modifying computer account: userPrincipalName ! Couldn't set service principals on computer account CN=AHTEST1,CN=Computers,DC=mpipz,DC=mpg,DC=de: 00002083: AtrErr: DSID-03151331, #1 (closed): 0: 00002083: DSID-03151331, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName)

  • Discovered which keytab salt to use

  • Added the entries to the keytab: AHTEST1$@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab

  • Added the entries to the keytab: HOST/AHTEST1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <================================================

  • Added the entries to the keytab: HOST/ahtest1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <================================================

  • Added the entries to the keytab: RestrictedKrbHost/AHTEST1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <===================================

  • Added the entries to the keytab: RestrictedKrbHost/ahtest1@MPIPZ.MPG.DE: FILE:/etc/krb5.keytab <===================================

In our case a "--host-fqdn" argument for realm (as adcli already has) would help. Or maybe replacing the call to gethostname() in adcli with something that is more resilient in figuring out the true FQDN.

Thanks for your help!