Ubuntu
realmd package

  1. Bug #1905000
  2. Comment #2

Comment 2 for bug 1905000

Revision history for this message
Alexander Fieroch (fieroch) wrote :

Our dhcp sets clients with dynamically configured ip into a subdomain .client.DOMAIN, while clients with static ip go to .DOMAIN.

Example:
I join clients to AD using sssd for authentication.
realm join --automatic-id-mapping=no --membership-software=adcli DOMAIN

The FQDN for this client is: kubuntu-lts.client.mpi-dortmund.mpg.de

realm sets correct keytab entries with correct FQDN including subdomain .client:

root@kubuntu-lts:/etc/sssd# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 <email address hidden> (arcfour-hmac)
   2 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 <email address hidden> (aes256-cts-hmac-sha1-96)

Now joining the same test VM using winbind for authentication.
realm join --automatic-id-mapping=no --membership-software=samba --client-software=winbind DOMAIN

The FQDN for this client is still: kubuntu-lts.client.mpi-dortmund.mpg.de

realm sets incorrect keytab entries without subdomain .client:

root@kubuntu-lts:/etc/sssd# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (arcfour-hmac)
   4 <email address hidden> (arcfour-hmac)
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (arcfour-hmac)
   4 <email address hidden> (arcfour-hmac)
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (etype 1)
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (etype 3)
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   4 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 1)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (etype 3)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes128-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (aes256-cts-hmac-sha1-96)
   4 <email address hidden> (arcfour-hmac)
   4 <email address hidden> (arcfour-hmac)

If you need any other information, let me know.