Use correct netbios name when leaving a domain joined with net ads
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| realmd (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Bug Description
WHen a domain was joined using samba as the join software (i.e., net ads join was used), and a custom computer name was specified, then this same name should be used when leaving the domain with the -r option, to remove the computer. Otherwise the "net ads leave" command will try to use the hostname and won't find it in AD:
# joining with a custom name of GG, whereas hostname is g-adclient1:
root@g-adclient1:~# realm -v join ad1.example.com --client-
* Resolving: _ldap._
* Performing LDAP DSE lookup on: 10.51.0.5
* Successfully discovered: ad1.example.com
* Unconditionally checking packages
* Resolving required packages
* Joining using a manual netbios name: GG
* LANG=C LOGNAME=root KRB5CCNAME=
DNS update failed: NT_STATUS_
Using short domain name -- AD1
Joined 'GG' to dns domain 'ad1.example.com'
No DNS domain configured for gg. Unable to perform DNS Update.
* LANG=C LOGNAME=root KRB5CCNAME=
* /usr/sbin/
* /usr/sbin/service winbind restart
* Successfully enrolled machine in realm
Computer entry created with the name GG:
root@g-adclient1:~# ldapsearch '(|(cn=
dn: CN=GG,CN=
Leaving fails to find the computer, as it looks for g-adclient1:
root@g-adclient1:~# realm -v leave ad1.example.com --client-
Password for Administrator:
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/
Enter Administrator's password:Host account for g-adclient1 does not exist.
Failed to leave domain: failed to leave realm: No such object
! Leaving the domain ad1.example.com failed
* Removing entries from keytab for realm
* Updating smb.conf file
* /usr/sbin/
* /usr/sbin/service winbind stop
* Successfully unenrolled machine from realm
root@g-adclient1:~# ldapsearch '(|(cn=
dn: CN=GG,CN=
Related branches
- Christian Ehrhardt (community): Approve
- Rafael David Tinoco (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 3377 lines (+3187/-1)30 files modifieddebian/changelog (+63/-0)
debian/control (+2/-1)
debian/patches/0001-Add-missing-xsl-file-to-Makefile.am.patch (+29/-0)
debian/patches/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch (+163/-0)
debian/patches/0001-Fix-issues-found-by-Coverity.patch (+37/-0)
debian/patches/0001-Fix-man-page-reference-in-systemd-service-file.patch (+27/-0)
debian/patches/0001-IPA-do-not-call-sssd-enable-logins.patch (+58/-0)
debian/patches/0001-LDAP-don-t-close-LDAP-socket-twice.patch (+43/-0)
debian/patches/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch (+49/-0)
debian/patches/0001-Use-current-idmap-options-for-smb.conf.patch (+178/-0)
debian/patches/0001-doc-make-sure-cross-reference-ids-are-predictable.patch (+1502/-0)
debian/patches/0002-Change-qualified-names-default-for-IPA.patch (+105/-0)
debian/patches/0002-Use-startTLS-with-FreeIPA.patch (+76/-0)
debian/patches/0002-configure-do-not-inherit-DISTRO-from-the-environment.patch (+34/-0)
debian/patches/0002-tools-remove-duplicated-va_start.patch (+27/-0)
debian/patches/0003-discover-try-to-get-domain-name-from-hostname.patch (+71/-0)
debian/patches/0003-doc-extend-user-principal-section.patch (+77/-0)
debian/patches/0003-service-remove-dead-code.patch (+35/-0)
debian/patches/0003-service-use-net-ads-join-with-k-for-user-join-as-wel.patch (+34/-0)
debian/patches/0004-doc-fix-discover-name-only.patch (+28/-0)
debian/patches/0004-service-check-return-value-of-fcntl.patch (+38/-0)
debian/patches/0004-service-use-additional-dns-hostnames-with-net-ads-jo.patch (+169/-0)
debian/patches/0005-doc-add-see-also-to-man-pages.patch (+48/-0)
debian/patches/0005-service-avoid-dereference-of-a-null-pointer.patch (+41/-0)
debian/patches/0006-doc-extend-description-of-config-handling.patch (+106/-0)
debian/patches/0006-service-avoid-dereferencing-a-NULL-pointer.patch (+26/-0)
debian/patches/0007-service-use-kerberos-method-secrets-and-keytab.patch (+32/-0)
debian/patches/dont-add-services-line.patch (+41/-0)
debian/patches/install-libnss-winbind.patch (+19/-0)
debian/patches/series (+29/-0)
| summary: |
- Use correct netbios name when leaving a domain + Use correct netbios name when leaving a domain joined with net ads |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in realmd (Ubuntu): | |
| status: | In Progress → Fix Released |
This bug was fixed in the package realmd - 0.16.3-3ubuntu1
---------------
realmd (0.16.3-3ubuntu1) groovy; urgency=medium
* d/p/0001-
socket twice.
* d/p/0001-
manpage is realm(8), not realmd(8)
* d/p/0001-
idmap options in smb.conf for modern versions of samba (LP: #1894153)
* d/p/0001-
NetBIOS name in keytab while leaving the domain (LP: #1894340)
* d/p/0001-
Coverity
* d/p/0002-
qualified names default for IPA
* d/p/0003-
there is no domain name returned by DHCP check if the hostname
contains a domain part and use this to discover a realm.
* d/p/0001-
sssd-
* d/p/0001-
install the latest version of a package when resolving packages with
PackageKit
* d/p/0001-
sure cross-reference ids are predictable
* d/p/0002-
va_start()
* d/p/0003-
* d/p/0004-
value of fcntl()
* d/p/0005-
dereference of a null pointer
* d/p/0006-
dereferencing a NULL pointer
* d/p/0001-
file to Makefile.am
* d/p/0002-
do not inherit DISTRO from the environment
* d/p/0003-
user-principal section
* d/p/0004-
name-only parameter
* d/p/0005-
man pages
* d/p/0006-
description of config handling
* d/p/0007-
using Samba with Winbind, set "kerberos method" to "secrets and keytab"
* d/p/install-
(LP: #1894150)
* d/p/dont-
services are socket activated and don't need a "services" line in
sssd.conf (LP: #1880157)
* d/p/0004-
when using samba to join a domain, and the client is from a different
domain, also set "additional dns hostnames"
* d/p/0002-
when talking to FreeIPA
* d/p/0003-
when joining using samba, ...