Realm join hangs

Bug #1906673 reported by Gerard Weatherby
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Following update sssd/bionic-updates,bionic-security,now 1.16.1-1ubuntu1.7 to the sssd et. al. packages, our realm joins not longer work. They hang at the step:

root@dec03daily:~# realm join ourdomain.net -U admin-acct -v
 * Resolving: _ldap._tcp.ourdomain.net
 * Performing LDAP DSE lookup on: 0.0.0.01
 * Performing LDAP DSE lookup on: 0.0.0.00
 * Successfully discovered: ourdomain.net
Password for admin-acct:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain ourdomain.net --domain-realm OURDOMAIN.NET --domain-controller 0.0.0.01 --login-type user --login-user admin-acct --stdin-password
 * Using domain name: ourdomain.net
 * Calculated computer account name from fqdn: DEC03DAILY
 * Using domain realm: ourdomain.net
 * Sending netlogon pings to domain controller: cldap://0.0.0.01
 * Received NetLogon info from: ad2.ourdomain.net
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-CxSBIC/krb5.d/adcli-krb5-conf-7CIGrq
 * Authenticated as user: <email address hidden>
 * Using GSS-SPNEGO for SASL bind

(site specific identity data obfuscated)

root@dec03daily:~# lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04

root@dec03daily:~# apt-cache policy sssd
sssd:
  Installed: 1.16.1-1ubuntu1.7
  Candidate: 1.16.1-1ubuntu1.7
  Version table:
 *** 1.16.1-1ubuntu1.7 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.16.1-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Note: we have been using prior versions of the sssd / realm et. al. packages to automatically build / domain join VMs for the past couple years; our process just stopped working with 1.16.1-1ubuntu1.7 update.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you so much for the high quality report Gerard.
I've pinged the Author of the broken update and marked the bug here as regression accordingly.
Since he is aware of the context he should be the fastest to resolve this and might have additional questions about your setup.

Changed in sssd (Ubuntu):
importance: Undecided → High
tags: added: regression-update
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ref: SRU bug of the offending update => bug 1868703

Revision history for this message
Tobias Karnat (tobiaskarnat-remondis) wrote :

I suspect the bug is caused by the patch "01-Use-GSS-SPNEGO-if-available.patch" in the adcli package.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Tobias for the hint!

FYI: To give some relieve to analyze and resolve the issue the new version was removed from -updates and -security pockets.
People that have already installed and are negatively affected by this can downgrade to the former version (which now will be the newest available in -updates).

Example:
 $ apt install sssd=1.16.1-1ubuntu1.6

Based on dependencies, you might need to reference other packages the same way. But that should provide a way to get back to a working state again until this is resolved.

P.S. this happened just now, there might be a short update-delay until reflected in the data that feeds into the package managers

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Revision history for this message
Russell Howe (rhowetrp) wrote :

I have observed this same behaviour with 'adcli join' when using adcli 0.8.2-1-ubuntu1 but adding the --use-ldaps parameter on the command line allowed the join to complete successfully.

Without using the --use-ldaps flag, using tcpdump I observed the LDAP operations were happening in the clear on port 389.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers