** Changed in: cyrus-sasl2 (Ubuntu Bionic)
Status: Confirmed => In Progress
** Changed in: cyrus-sasl2 (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: cyrus-sasl2 (Ubuntu Bionic)
Assignee: (unassigned) => Matthew Ruffell (mruffell)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1906627
Title:
adcli fails, can't contact LDAP server
Status in adcli package in Ubuntu:
Fix Released
Status in cyrus-sasl2 package in Ubuntu:
Confirmed
Status in adcli source package in Bionic:
In Progress
Status in cyrus-sasl2 source package in Bionic:
In Progress
Bug description:
Package: adcli
Version: 0.8.2-1ubuntu1
Release: Ubuntu 18.04 LTS
When trying to join the domain with this new version of adcli, it gets
to the point of 'Using GSS-SPNEGO for SASL bind' and then it will not
do anything for 10 minutes. It will then fail, complaining it can't
reach the LDAP server.
Logs:
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Authenticated as user:
domain-join-acco...@domain.com
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Authenticated as user:
domain-join-acco...@domain.com
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Using GSS-SPNEGO for
SASL bind
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Using GSS-SPNEGO for
SASL bind
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup domain
short name: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup domain
short name: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using fully qualified
name: example001.domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using fully qualified
name: example001.domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain name:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain name:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using computer account
name: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using computer account
name: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain realm:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain realm:
domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Calculated computer
account name from fqdn: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Calculated computer
account name from fqdn: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * With user principal:
host/example001.domain....@domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * With user principal:
host/example001.domain....@domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Generated 120
character computer password
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Generated 120
character computer password
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using keytab:
FILE:/etc/krb5.keytab
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using keytab:
FILE:/etc/krb5.keytab
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup
computer account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup
computer account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain
domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact
LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain
domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact
LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: process exited: 6459
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Failed to join the
domain
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Failed to join the
domain
On the network level, adcli gets to the point of send an ldap query to
the domain controller and the domain controller returns an ack tcp
packet, but then there is no more traffic between the domain
controller and the server except for ntp packets until it fails.
The domain controller traffic also shows that it is receiving the ldap
query packet from the server but it never sends a reply and there is
no log in directory services regarding the query. We also couldn't
find anything in procmon regarding this query either.
Workaround/Fix:
Downgrading the adcli package back to version 0.8.2-1 fixes the issues and
domain join works properly again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
