adcli: not adding an additional service-name

I'm having an issue with using adcli to add a service name on Ubuntu 18.04 as well. It works on RHEL8.

Status changed to 'Confirmed' because the bug affects multiple users.

I've tested it on CentOS 7 as well and it is working there!

  adcli -v update --service-name="nfs/centos7" --os-version=centos -D DOMAIN -C /tmp/krb5cc_0 --show-details

This adds nfs service principals on centos 7 with adcli 0.8.1

# yum info adcli
Geladene Plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.23media.com
 * centosplus: mirror.imt-systems.com
 * epel: mirror.imt-systems.com
 * extras: mirror.imt-systems.com
 * updates: mirror.imt-systems.com
Installierte Pakete
Name : adcli
Architektur : x86_64
Version : 0.8.1
Ausgabe : 6.el7_6.1
Größe : 318 k
Quelle : installed
Aus Quelle : updates
Zusammenfassung: Active Directory enrollment
URL : http://cgit.freedesktop.org/realmd/adcli
Lizenz : LGPLv2+
Beschreibung: adcli is a library and tool for joining an Active Directory domain using
            : standard LDAP and Kerberos calls.

On Ubuntu 19.04 there is
  adcli 0.8.2-1 amd64 Tool for performing actions on an Active Directory domain

but

  adcli -v update --service-name="nfs/kubuntu-latest" --os-version=ubuntu -D DOMAIN -C /tmp/krb5cc_10011_RNMrYn --show-details

does not change anything.
If I only update --os-version this is working. When only trying to update --service-name nothing happens to the AD attributes.

Hi Alexander,

RedHat fixed this issue in https://rhn.redhat.com/errata/RHBA-2016-0763.html , which is why CentOS7 works, but I think the patch needs to be ported to ubuntu.

FYI, the related RedHat bugzilla bug is at https://bugzilla.redhat.com/show_bug.cgi?id=1644311

Sorry, I gave the wrong RedHat errata link. Here is the right one:
https://access.redhat.com/errata/RHEA-2019:2256

Thanks! So I'm looking forward for someone is porting a new package for ubuntu...

$ rmadison adcli
 adcli | 0.7.5-1 | trusty/universe | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 adcli | 0.8.1-1 | xenial/universe | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 adcli | 0.8.2-1 | bionic/universe | source, amd64, arm64, armhf, i386, ppc64el, s390x
 adcli | 0.8.2-1 | disco/universe | source, amd64, arm64, armhf, i386, ppc64el, s390x
 adcli | 0.8.2-1 | eoan/universe | source, amd64, arm64, armhf, i386, ppc64el, s390x

$ git log --oneline --grep="id=1644311"
4987a21 library: return error if no matching key was found
cd296bf join: always add service principals

$ git describe --contains 4987a21
0.9.0~23

$ git describe --contains cd296bf
0.9.0~24

How can I get the new version to test?
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
<email address hidden> | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.

On Mon, Sep 30, 2019 at 10:30 AM Eric Desrochers <
<email address hidden>> wrote:

> $ rmadison adcli
> adcli | 0.7.5-1 | trusty/universe | source, amd64, arm64, armhf, i386,
> powerpc, ppc64el
> adcli | 0.8.1-1 | xenial/universe | source, amd64, arm64, armhf, i386,
> powerpc, ppc64el, s390x
> adcli | 0.8.2-1 | bionic/universe | source, amd64, arm64, armhf, i386,
> ppc64el, s390x
> adcli | 0.8.2-1 | disco/universe | source, amd64, arm64, armhf, i386,
> ppc64el, s390x
> adcli | 0.8.2-1 | eoan/universe | source, amd64, arm64, armhf, i386,
> ppc64el, s390x
>
>
> $ git log --oneline --grep="id=1644311"
> 4987a21 library: return error if no matching key was found
> cd296bf join: always add service principals
>
> $ git describe --contains 4987a21
> 0.9.0~23
>
> $ git describe --contains cd296bf
> 0.9.0~24
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1831448
>
> Title:
> adcli: not adding an additional service-name
>
> Status in adcli package in Ubuntu:
> In Progress
> Status in adcli source package in Xenial:
> New
> Status in adcli source package in Bionic:
> New
> Status in adcli source package in Disco:
> New
> Status in adcli source package in Eoan:
> In Progress
> Status in adcli package in CentOS:
> Unknown
>
> Bug description:
> I'm trying to add service principals to my computer in an Active
> Directory environment. The command runs without errors but the
> computer account attribute "servicePrincipalName" in AD is not
> changed.
>
> The man page says
>
> -----
>
> --service-name=service
>
> Additional service name for a Kerberos principal to be created on the
> computer account. This option may be specified multiple times.
>
> ------
>
> I've tried this by
>
> adcli -v update --service-name=nfs -D DOMAIN -C
> /tmp/krb5cc_11872_nXpkOu --show-details
>
> and got
>
> * Found realm in keytab: DOMAIN
> * Found service principal in keytab: host/m15015-lin.DOMAIN
> * Found host qualified name in keytab: host/m15015-lin.DOMAIN
> * Found service principal in keytab: host/M15015-LIN
> * Found computer name in keytab: M15015-LIN
> * Found service principal in keytab: host/m15015-lin
> * Using domain name: DOMAIN
> * Calculated computer account name from fqdn: M15015-LIN
> * Using domain realm:...

I'm investigating the feasibility of the patchset's backport at the moment.
I'll update the bug as I make progress.

Regards,
Eric

Sounds good, thanks!
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
<email address hidden> | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.

On Mon, Sep 30, 2019 at 11:06 AM Eric Desrochers <
<email address hidden>> wrote:

> I'm investigating the feasibility of the patchset's backport at the
> moment.
> I'll update the bug as I make progress.
>
> Regards,
> Eric
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1831448
>
> Title:
> adcli: not adding an additional service-name
>
> Status in adcli package in Ubuntu:
> In Progress
> Status in adcli source package in Xenial:
> New
> Status in adcli source package in Bionic:
> New
> Status in adcli source package in Disco:
> New
> Status in adcli source package in Eoan:
> In Progress
> Status in adcli package in CentOS:
> Unknown
>
> Bug description:
> I'm trying to add service principals to my computer in an Active
> Directory environment. The command runs without errors but the
> computer account attribute "servicePrincipalName" in AD is not
> changed.
>
> The man page says
>
> -----
>
> --service-name=service
>
> Additional service name for a Kerberos principal to be created on the
> computer account. This option may be specified multiple times.
>
> ------
>
> I've tried this by
>
> adcli -v update --service-name=nfs -D DOMAIN -C
> /tmp/krb5cc_11872_nXpkOu --show-details
>
> and got
>
> * Found realm in keytab: DOMAIN
> * Found service principal in keytab: host/m15015-lin.DOMAIN
> * Found host qualified name in keytab: host/m15015-lin.DOMAIN
> * Found service principal in keytab: host/M15015-LIN
> * Found computer name in keytab: M15015-LIN
> * Found service principal in keytab: host/m15015-lin
> * Using domain name: DOMAIN
> * Calculated computer account name from fqdn: M15015-LIN
> * Using domain realm: DOMAIN
> * Discovering domain controllers: _ldap._tcp.DOMAIN
> * Sending netlogon pings to domain controller: cldap://X.X.X.X
> * Sending netlogon pings to domain controller: cldap://X.X.X.X
> * Sending netlogon pings to domain controller: cldap://X.X.x.X
> * Received NetLogon info from: WinDC3.DOMAIN
> * Wrote out krb5.conf snippet to
> /tmp/adcli-krb5-Q9bim6/krb5.d/adcli-krb5-conf-ZzF3Xh
> * Looked up short domain name: DOMAIN
> * Using fully qualified name: m15015-lin
> * Using domain name: DOMAIN
> * Using computer account name: M15015-LIN
> * Using domain realm: DOMA...

After analysis, the 2 mentioned fixes depends on a few other commits as the fixes has been made on top and/or using functions not yet implemented in version "0.8.2-1". Meaning there is a significant amount of code change/add to be done that goes beyond the fix itself.

I'm afraid this won't be eligible/suitable for SRU.

As an alternative, a request[0] to the Ubuntu Backport Team[1] can possibly be try and see if a home for "adcli - 0.9.0" (with the required fixes) can be found in bionic-backports[2] instead, which IMHO will be more suitable (if accepted by backport team).

That way bionic-update will remain at "0.8.2-1" and bionic-backports could have "0.9.X".

Regards,
Eric

[0] - https://launchpad.net/ubp
[1] - https://wiki.ubuntu.com/UbuntuBackports
[2] - https://help.ubuntu.com/community/UbuntuBackports

Without looking further (so maybe more commits might be needed as well or not) so far the observed commits needed are :

https://gitlab.freedesktop.org/realmd/adcli/commit/163730cf8c91fc8dc4f44eb1eca45daa3abf3ed8
https://gitlab.freedesktop.org/realmd/adcli/commit/8396b9bca05fec8022758c6930f1e594252ae296
https://gitlab.freedesktop.org/realmd/adcli/commit/4987a21f4839ab7ea50e932c72df05075efb89b3
https://gitlab.freedesktop.org/realmd/adcli/commit/cd296bf24e7cc56fb8d00bad7e9a56c539894309

@bigon,

Is there any plan to bump adcli (universe package) version in debian/unstable to 0.9.0 and then possibly the Ubuntu stable releases using an SRU exception (taking into account the current freeze schedule) something such as microreleases[0] with your MOTU privileges.

Since you are the "adcli" debian maintainer, and the Ubuntu "adcli" merger (according to d/changelog).

[0] - https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases

- Eric

if the "microrelease SRU" doesn't apply here, then as I stated earlier maybe bionic-backport would suits better. Let's see what Laurent says.

To summarise, before talking about the Ubuntu specifics, for sure the first step would be to make sure 0.9.0 (including the fixes needed for this bug) is found in debian, then we'll be more amenable to discuss further more about the Ubuntu potential options (SRU micro release, bionic-backports, ...)

Cool, thanks!
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
<email address hidden> | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.

On Mon, Sep 30, 2019 at 4:31 PM Eric Desrochers <
<email address hidden>> wrote:

> To summarise, before talking about the Ubuntu specifics, for sure the
> first step would be to make sure 0.9.0 (including the fixes needed for
> this bug) is found in debian, then we'll be more amenable to discuss
> further more about the Ubuntu potential options (SRU micro release,
> bionic-backports, ...)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1831448
>
> Title:
> adcli: not adding an additional service-name
>
> Status in adcli package in Ubuntu:
> In Progress
> Status in adcli source package in Xenial:
> New
> Status in adcli source package in Bionic:
> New
> Status in adcli source package in Disco:
> New
> Status in adcli source package in Eoan:
> In Progress
> Status in adcli package in CentOS:
> Unknown
>
> Bug description:
> I'm trying to add service principals to my computer in an Active
> Directory environment. The command runs without errors but the
> computer account attribute "servicePrincipalName" in AD is not
> changed.
>
> The man page says
>
> -----
>
> --service-name=service
>
> Additional service name for a Kerberos principal to be created on the
> computer account. This option may be specified multiple times.
>
> ------
>
> I've tried this by
>
> adcli -v update --service-name=nfs -D DOMAIN -C
> /tmp/krb5cc_11872_nXpkOu --show-details
>
> and got
>
> * Found realm in keytab: DOMAIN
> * Found service principal in keytab: host/m15015-lin.DOMAIN
> * Found host qualified name in keytab: host/m15015-lin.DOMAIN
> * Found service principal in keytab: host/M15015-LIN
> * Found computer name in keytab: M15015-LIN
> * Found service principal in keytab: host/m15015-lin
> * Using domain name: DOMAIN
> * Calculated computer account name from fqdn: M15015-LIN
> * Using domain realm: DOMAIN
> * Discovering domain controllers: _ldap._tcp.DOMAIN
> * Sending netlogon pings to domain controller: cldap://X.X.X.X
> * Sending netlogon pings to domain controller: cldap://X.X.X.X
> * Sending netlogon pings to domain controller: cldap://X.X.x.X
> * Received NetLogon info from: WinDC3.DOMAIN
> * Wrote out krb5.conf snippet to
> /tmp/adcli-krb5-Q9bim6/krb5.d/adcli-krb5-conf-ZzF3Xh
> * Looked up short domain name: DOM...

@bigon,

I made the request more "official" by reporting a bug in Debian against adcli:

# adcli new release 0.9.0
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941583

Regards,
Eric

A bionic-backports request has been made via LP: #1846516

Using "net ads" from the samba-common-bin package should work as an alternative to using adcli.

Assuming the server is already connected to the AD using sssd you should be able to run the following.

net ads join -k
net ads keytab list
net ads keytab add nfs

Current active devel release (Future next LTS), now introduced a newer version of adcli:
 adcli | 0.9.0-1 | focal/universe | source, amd64, arm64, armhf, i386, ppc64el, s390x

Thanks!
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
<email address hidden> | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.

On Sat, Oct 26, 2019 at 11:55 AM Eric Desrochers <
<email address hidden>> wrote:

> Current active devel release (Future next LTS), now introduced a newer
> version of adcli:
> adcli | 0.9.0-1 | focal/universe | source, amd64, arm64, armhf, i386,
> ppc64el, s390x
>
>
> ** Also affects: adcli (Ubuntu Focal)
> Importance: Undecided
> Status: Won't Fix
>
> ** Changed in: adcli (Ubuntu Focal)
> Status: Won't Fix => Fix Released
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1831448
>
> Title:
> adcli: not adding an additional service-name
>
> Status in adcli package in Ubuntu:
> Won't Fix
> Status in adcli source package in Xenial:
> Won't Fix
> Status in adcli source package in Bionic:
> Won't Fix
> Status in adcli source package in Disco:
> Won't Fix
> Status in adcli source package in Eoan:
> Won't Fix
> Status in adcli source package in Focal:
> Fix Released
> Status in adcli package in CentOS:
> Unknown
> Status in adcli package in Debian:
> Fix Released
>
> Bug description:
> I'm trying to add service principals to my computer in an Active
> Directory environment. The command runs without errors but the
> computer account attribute "servicePrincipalName" in AD is not
> changed.
>
> The man page says
>
> -----
>
> --service-name=service
>
> Additional service name for a Kerberos principal to be created on the
> computer account. This option may be specified multiple times.
>
> ------
>
> I've tried this by
>
> adcli -v update --service-name=nfs -D DOMAIN -C
> /tmp/krb5cc_11872_nXpkOu --show-details
>
> and got
>
> * Found realm in keytab: DOMAIN
> * Found service principal in keytab: host/m15015-lin.DOMAIN
> * Found host qualified name in keytab: host/m15015-lin.DOMAIN
> * Found service principal in keytab: host/M15015-LIN
> * Found computer name in keytab: M15015-LIN
> * Found service principal in keytab: host/m15015-lin
> * Using domain name: DOMAIN
> * Calculated computer account name from fqdn: M15015-LIN
> * Using domain realm: DOMAIN
> * Discovering domain controllers: _ldap._tcp.DOMAIN
> * Sending netlogon pings to domain controller: cldap://X.X.X.X
> * Sending netlogon pings to domain controller: cldap://X.X.X.X
> * Sending netlogon pings to domain controller: cldap://X.X.x.X
> ...