Comment 1 for bug 1979081
Revision history for this message
| Andreas Hasenack (ahasenack) wrote Re: domain join with --use-ldaps using port 389 | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
> This appears to affect adcli version 0.9.1-1ubuntu2 that comes with Ubuntu 22.04 LTS, as an
> attempt on Ubuntu 20.04 LTS (with adcli version 0.9.0-1ubuntu0.
Turns out focal is also affected, but you didn't capture it in your network sniffer, or by the iptables block, because in focal openldap has CLDAP support (connection-less ldap), which means said NetLogon ping happens via UDP:
root@f-
* Using domain name: INTERNAL.
* Calculated computer account name from fqdn: F-ADCLI-REALMD
* Calculated domain realm from name: INTERNAL.
* Discovering domain controllers: _ldap._
* Sending NetLogon ping to domain controller: win-kriet1e5elo
* Received NetLogon info from: WIN-KRIET1E5ELO
* Using LDAPS to connect to win-kriet1e5elo
* Wrote out krb5.conf snippet to /tmp/adcli-
! Couldn't authenticate as machine account: F-ADCLI-REALMD: Client 'F-ADCLI-
Password for <email address hidden>:
root@f-
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
20:22:52.902443 IP 10.0.16.12.56068 > 10.0.16.5.389: UDP, length 89
20:22:52.902920 IP 10.0.16.5.389 > 10.0.16.12.56068: UDP, length 205
I will file an issue with adcli upstream, because it will fallback[1] to "ldap" (instead of "ldaps" if --use-ldaps was given) if CLDAP is not supported.
For what is worth, the NetLogon ping/discovery is this type of query, and it seems to work fine via ldaps:
root@j-
dn:
netlogon:: FwAAAP3zAwBx2l+
1. https:/
2. https:/