[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

pbrezina Thu, 30 May 2019 04:13:05 -0700

  URL: https://github.com/SSSD/sssd/pull/820
Title: #820: ad: delete domains disabled through ad_enabled_domains from cache


pbrezina commented:
"""
I did not test the "root" domain case because I was not able to establish trust 
with a non-root domain so far. But the pull request is straightforward, so it 
does not necessarily blocks review.

```
[r...@master.client.vm /home/vagrant]# realm join child.ad.vm
Password for Administrator:
See: journalctl REALMD_OPERATION=r1521.5100
realm: Couldn't join realm: Insufficient permissions to join the domain
[r...@master.client.vm /home/vagrant]# journalctl REALMD_OPERATION=r1521.5100
-- Logs begin at Sun 2019-05-26 19:54:19 UTC, end at Thu 2019-05-30 09:40:15 
UTC. --
May 30 09:40:13 master.client.vm realmd[5103]:  * Resolving: 
_ldap._tcp.child.ad.vm
May 30 09:40:13 master.client.vm realmd[5103]:  * Performing LDAP DSE lookup 
on: 192.168.100.120
May 30 09:40:13 master.client.vm realmd[5103]:  * Performing LDAP DSE lookup 
on: 192.168.121.248
May 30 09:40:13 master.client.vm realmd[5103]:  * Successfully discovered: 
child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Required files: 
/usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, 
/usr/sbin/adcli
May 30 09:40:15 master.client.vm realmd[5103]:  * LANG=C /usr/sbin/adcli join 
--verbose --domain child.ad.vm --domain-realm CHILD.AD.VM --domain-controller 
192.168.100.120 --login-type user --login-user Administrator --stdin-password
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain name: child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Calculated computer account 
name from fqdn: MASTER
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain realm: 
child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Sending netlogon pings to 
domain controller: cldap://192.168.100.120
May 30 09:40:15 master.client.vm realmd[5103]:  * Received NetLogon info from: 
child-dc.child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Wrote out krb5.conf snippet 
to /var/cache/realmd/adcli-krb5-uxaCvi/krb5.d/adcli-krb5-conf-iAtYIJ
May 30 09:40:15 master.client.vm realmd[5103]:  * Authenticated as user: 
administra...@child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Looked up short domain name: 
ADCHILD
May 30 09:40:15 master.client.vm realmd[5103]:  * Looked up domain SID: 
S-1-5-21-2624477844-534582034-2536808417
May 30 09:40:15 master.client.vm realmd[5103]:  * Using fully qualified name: 
master.client.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain name: child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Using computer account name: 
MASTER
May 30 09:40:15 master.client.vm realmd[5103]:  * Using domain realm: 
child.ad.vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Calculated computer account 
name from fqdn: MASTER
May 30 09:40:15 master.client.vm realmd[5103]:  * Generated 120 character 
computer password
May 30 09:40:15 master.client.vm realmd[5103]:  * Using keytab: 
FILE:/etc/krb5.keytab
May 30 09:40:15 master.client.vm realmd[5103]:  * Computer account for MASTER$ 
does not exist
May 30 09:40:15 master.client.vm realmd[5103]:  * Found well known computer 
container at: CN=Computers,DC=child,DC=ad,DC=vm
May 30 09:40:15 master.client.vm realmd[5103]:  * Calculated computer account: 
CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm
May 30 09:40:15 master.client.vm realmd[5103]:  ! Insufficient permissions to 
modify computer account: CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm: 000021C7: 
AtrErr: DSID-03200BBC, #1:
May 30 09:40:15 master.client.vm realmd[5103]:         0: 000021C7: 
DSID-03200BBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 
(servicePrincipalName)
May 30 09:40:15 master.client.vm realmd[5103]:
May 30 09:40:15 master.client.vm realmd[5103]: adcli: joining domain 
child.ad.vm failed: Insufficient permissions to modify computer account: 
CN=MASTER,CN=Computers,DC=child,DC=ad,DC=vm: 000021C7: AtrErr: DSID-03200BBC, 
#1:
May 30 09:40:15 master.client.vm realmd[5103]:         0: 000021C7: 
DSID-03200BBC, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 
(servicePrincipalName)
May 30 09:40:15 master.client.vm realmd[5103]:
May 30 09:40:15 master.client.vm realmd[5103]:  ! Insufficient permissions to 
join the domain
``` 
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/820#issuecomment-497294985

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#820][comment] ad: delete domains disabled through ad_enabled_domains from cache

Reply via email to