adcli can't set Samba data
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adcli (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned | ||
Mantic |
New
|
Undecided
|
Unassigned | ||
Noble |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
adcli is unable to update Samba's tdb when using the `--add-samba-data` flag. This also affects `adcli update` as noted in the original Redhat Bugzilla:
https:/
root@373863repro:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
root@373863repro:~# apt-cache policy adcli
adcli:
Installed: 0.9.1-1ubuntu2
Candidate: 0.9.1-1ubuntu2
Version table:
*** 0.9.1-1ubuntu2 500
500 http://
100 /var/lib/
Expected:
root@373863repro:~# adcli join --domain ubuntu.internal -H 373863repro.
root@373863repro:~#
root@373863repro:~# net ads testjoin
Join is OK
root@373863repro:~#
root@373863repro:~# adcli testjoin
Sucessfully validated join to domain ubuntu.internal
Actual:
root@373863repro:~# adcli join --domain ubuntu.internal -H case-00373863.
* Using fully qualified name: case-00373863.
* Using domain name: ubuntu.internal
* Calculated computer account name from fqdn: CASE-00373863
* Calculated domain realm from name: UBUNTU.INTERNAL
* Discovering domain controllers: _ldap._
* Sending NetLogon ping to domain controller: dc2.ubuntu.internal
* Received NetLogon info from: dc2.ubuntu.internal
* Wrote out krb5.conf snippet to /tmp/adcli-
! Couldn't authenticate as machine account: CASE-00373863: Preauthentication failed
Password for <email address hidden>:
* Authenticated as user: <email address hidden>
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: UBUNTU
* Looked up domain SID: S-1-5-21-
* Using fully qualified name: case-00373863.
* Using domain name: ubuntu.internal
* Using computer account name: CASE-00373863
* Using domain realm: ubuntu.internal
* Calculated computer account name from fqdn: CASE-00373863
* Generated 120 character computer password
* Using keytab: FILE:/etc/
* Found computer account for CASE-00373863$ at: CN=CASE-
* Sending NetLogon ping to domain controller: dc2.ubuntu.internal
* Received NetLogon info from: dc2.ubuntu.internal
* Set computer password
* Retrieved kvno '3' for computer account in directory: CN=CASE-
* Checking RestrictedKrbHo
* Added RestrictedKrbHo
* Checking RestrictedKrbHo
* Added RestrictedKrbHo
* Checking host/case-
* Added host/case-
* Checking host/CASE-00373863
* Added host/CASE-00373863
* Trying to set Samba secret.
secrets_
Unable to write the machine account password in the secrets database ! net command failed with 1.
* Trying to set domain SID S-1-5-21-
* Discovered which keytab salt to use
* Added the entries to the keytab: CASE-00373863$
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
* Added the entries to the keytab: <email address hidden>: FILE:/etc/
root@373863repro:~#
root@373863repro:~# net ads testjoin
Join to domain is not valid: NT code 0xfffffff6
root@373863repro:~#
root@373863repro:~# adcli testjoin
Sucessfully validated join to domain ubuntu.internal
root@373863repro:~#
This has been fixed upstream in adcli by getting the domain SID before setting the Samba secret:
https:/
Test packages for Jammy in ppa:mfo/lp2044406.