Ubuntu
adcli package

adcli can't set Samba data

  1. Jammy (22.04)
  2. Bug #2044406
Bug #2044406 reported by Rudra Trivedi
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
adcli (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Mantic
New
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

adcli is unable to update Samba's tdb when using the `--add-samba-data` flag. This also affects `adcli update` as noted in the original Redhat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1991619

root@373863repro:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy

root@373863repro:~# apt-cache policy adcli
adcli:
  Installed: 0.9.1-1ubuntu2
  Candidate: 0.9.1-1ubuntu2
  Version table:
 *** 0.9.1-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

Expected:

root@373863repro:~# adcli join --domain ubuntu.internal -H 373863repro.ubuntu.internal --add-samba-data
root@373863repro:~#
root@373863repro:~# net ads testjoin
Join is OK
root@373863repro:~#
root@373863repro:~# adcli testjoin
Sucessfully validated join to domain ubuntu.internal

Actual:

root@373863repro:~# adcli join --domain ubuntu.internal -H case-00373863.ubuntu.internal --add-samba-data -v
 * Using fully qualified name: case-00373863.ubuntu.internal
 * Using domain name: ubuntu.internal
 * Calculated computer account name from fqdn: CASE-00373863
 * Calculated domain realm from name: UBUNTU.INTERNAL
 * Discovering domain controllers: _ldap._tcp.ubuntu.internal
 * Sending NetLogon ping to domain controller: dc2.ubuntu.internal
 * Received NetLogon info from: dc2.ubuntu.internal
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-MEf9xi/krb5.d/adcli-krb5-conf-frswEw
 ! Couldn't authenticate as machine account: CASE-00373863: Preauthentication failed
Password for <email address hidden>:
 * Authenticated as user: <email address hidden>
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: UBUNTU
 * Looked up domain SID: S-1-5-21-2416277022-3154700276-4217497992
 * Using fully qualified name: case-00373863.ubuntu.internal
 * Using domain name: ubuntu.internal
 * Using computer account name: CASE-00373863
 * Using domain realm: ubuntu.internal
 * Calculated computer account name from fqdn: CASE-00373863
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for CASE-00373863$ at: CN=CASE-00373863,CN=Computers,DC=ubuntu,DC=internal
 * Sending NetLogon ping to domain controller: dc2.ubuntu.internal
 * Received NetLogon info from: dc2.ubuntu.internal
 * Set computer password
 * Retrieved kvno '3' for computer account in directory: CN=CASE-00373863,CN=Computers,DC=ubuntu,DC=internal
 * Checking RestrictedKrbHost/case-00373863.UBUNTU.INTERNAL
 * Added RestrictedKrbHost/case-00373863.UBUNTU.INTERNAL
 * Checking RestrictedKrbHost/CASE-00373863
 * Added RestrictedKrbHost/CASE-00373863
 * Checking host/case-00373863.UBUNTU.INTERNAL
 * Added host/case-00373863.UBUNTU.INTERNAL
 * Checking host/CASE-00373863
 * Added host/CASE-00373863
 * Trying to set Samba secret.
secrets_prepare_password_change: secrets_fetch_or_upgrade_domain_info(UBUNTU) failed
Unable to write the machine account password in the secrets database ! net command failed with 1.
 * Trying to set domain SID S-1-5-21-2416277022-3154700276-4217497992 for Samba.
 * Discovered which keytab salt to use
 * Added the entries to the keytab: CASE-00373863$@UBUNTU.INTERNAL: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: <email address hidden>: FILE:/etc/krb5.keytab
root@373863repro:~#
root@373863repro:~# net ads testjoin
Join to domain is not valid: NT code 0xfffffff6
root@373863repro:~#
root@373863repro:~# adcli testjoin
Sucessfully validated join to domain ubuntu.internal
root@373863repro:~#

This has been fixed upstream in adcli by getting the domain SID before setting the Samba secret:
https://gitlab.freedesktop.org/realmd/adcli/-/merge_requests/52/diffs?commit_id=0e1aafad7da78ded9ed45fd0638c42876d2a8d6a

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Test packages for Jammy in ppa:mfo/lp2044406.

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

The patch was introduced in 0.9.2, which is not yet in Ubuntu,
so the SRUs should go from Focal/Jammy and later, up to Noble.

$ git remote get-url origin
https://gitlab.freedesktop.org/realmd/adcli

$ git describe --contains 0e1aafad7da78ded9ed45fd0638c42876d2a8d6a
0.9.2~5

$ rmadison -a source adcli
 adcli | 0.7.5-1 | trusty/universe | source
 adcli | 0.8.1-1 | xenial/universe | source
 adcli | 0.8.2-1 | bionic/universe | source
 adcli | 0.8.2-1ubuntu1.2 | bionic-security/universe | source
 adcli | 0.8.2-1ubuntu1.2 | bionic-updates/universe | source
 adcli | 0.9.0-1 | focal/universe | source
 adcli | 0.9.0-1ubuntu0.20.04.1 | focal-security | source
 adcli | 0.9.0-1ubuntu0.20.04.1 | focal-updates | source
 adcli | 0.9.1-1ubuntu2 | jammy | source
 adcli | 0.9.1-2ubuntu1 | lunar | source
 adcli | 0.9.1-2ubuntu1 | mantic | source
 adcli | 0.9.1-2ubuntu1 | noble | source

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Debian bug asking for adcli 0.9.2 in sid (to merge with in Noble):
https://bugs.debian.org/1056600

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Noble now has 0.9.2-1ubuntu1, and looks like the patch is there.

Changed in adcli (Ubuntu Noble):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.