[Authentication] Command `realm join` fails to register DNS, it is trying to cut DNS hostname when it is bigger than 15 chars.

Mon Oct 6 12:45:39 PDT 2014

Hello!

I figured out a way to achieve what I need. Unfortunately, Realmd is not
ready for prime time. For huge networks, for example, with Disjoint
Namespaces, lots of DNS sub-domains, and with machines that share the same
hostname, but on different forward zones, then, Realmd can not be used (or
at least, it is very hard to use it).

So, how I "fixed" it?

First, I transformed the obsolete "netbios name" in some kind of ID, like
this:

* "ubuntu-desk-1.office.domain.com" have its netbios name equal to
"ubuntu-d-dae34".
* "ubuntu-desk-1.sp.domain.com" have its netbios name equal to
"ubuntu-d-fsd5h".

Then:

sudo apt-get remove realmd

Write at /etc/hosts:

172.16.10.10 ubuntu-desk-1.office.domain.com ubuntu-desk-1 ubuntu-d-dae34

Write at the /etc/samba/smb.conf the following line:

netbios name = ubuntu-d-dae34
---

This way, I can run: "net ads join" that my machine will got 2 "names",
first is DNS, heavily used, the second is the NetBIOS (obsolete, used just
to join into the domain). NetBIOS is disable in my network, no WINS.

So, I can have "ubuntu-desk-1" both in "*.office.domain.com" and "*.
sp.domain.com", each one with its own netbios name but, same hostname
(different domain).

I came to conclusion that realmd is not ready for large networks.

Please, let me know when realmd have support for selecting different
netbions name. Also, realmd should NOT cut the DNS, at 15 char, before
trying to register it. This is ugly, Realmd should not touch DNS hostname,
ever.

Thanks!
Thiago

On 16 September 2014 02:49, Martinx - ジェームズ <thiagocmartinsc at gmail.com>
wrote:

> Hey guys,
>
> I'll try to simplify my situation with Realm + SSSD, as follows:
>
>
> * While running "realm join"
>
> 1) How can I specify the "NetBIOS Name" ? (equivalent of adcli's
> "--computer-name");
>
> 2) How can I tell it (realm join) to *not cut* the DNS hostname @ char 15?
>
>
> Thanks!
> Thiago
>
> On 13 September 2014 02:06, Martinx - ジェームズ <thiagocmartinsc at gmail.com>
> wrote:
>
>> Guys,
>>
>> I'm trying to join a Linux instance into my AD Domain, its FQDN is `
>> puppetmaster-1-i-000000b9.tenant-a.company.com`:
>>
>> ---
>> root at puppetmaster-1:~# hostname puppetmaster-1-i-000000b9
>>
>> root at puppetmaster-1:~# hostname -f
>> puppetmaster-1-i-000000b9.tenant-a.company.com
>>
>> root at puppetmaster-1:~# realm -v join sambadom.company.com -U
>> Administrator
>>  * Resolving: _ldap._tcp.sambadom.company.com
>>  * Performing LDAP DSE lookup on: 192.168.1.10
>>  * Performing LDAP DSE lookup on: 192.168.1.20
>>  * Successfully discovered: sambadom.company.com
>> Password for Administrator:
>>  * Unconditionally checking packages
>>  * Resolving required packages
>> * * Joining using a truncated netbios name: PUPPETMASTER-1-*
>>  * LANG=C LOGNAME=root /usr/bin/net -s
>> /var/cache/realmd/realmd-smb-conf.HMC1LX -U Administrator ads join
>> sambadom.company.com
>> Enter Administrator's password:DNS update failed:
>> NT_STATUS_INVALID_PARAMETER
>>
>> Using short domain name -- SAMBADOM
>> Joined 'PUPPETMASTER-1-' to dns domain 'sambadom.company.com'
>> *No DNS domain configured for puppetmaster-1-. Unable to perform DNS
>> Update.*
>>  * LANG=C LOGNAME=root /usr/bin/net -s
>> /var/cache/realmd/realmd-smb-conf.HMC1LX -U Administrator ads keytab create
>> Enter Administrator's password:
>>  * /usr/sbin/update-rc.d sssd enable
>> update-rc.d: /etc/init.d/sssd: file does not exist
>>  * /usr/sbin/service sssd restart
>> stop: Unknown instance:
>> sssd start/running, process 6243
>>  * Successfully enrolled machine in realm
>> ---
>>
>> It joined but the DNS did not got registered...
>>
>> If I remove the "$instance-id", from the `hostname`, then, the command
>> `realm -v join ...` works! But, it will break my environment "as-is", I'm
>> expecting: "hostname+instance-id"...   :-/
>>
>> I'm evaluating the couple "realmd + sssd" to replace Samba + Winbind but,
>> this unique problem is an impediment to start using this solution in
>> production today...
>>
>> Any tips?!
>>
>> From what I'm seeing, the `realm join` is missing an option like
>> `--computer-name=puppetmaster-1` like the one from `adcli` (and it should
>> not use that truncated "PUPPETMASTER-1-" above), and do not "cut / touch"
>> the DNS hostname.
>>
>> When with Winbind+Samba, I can join / register the hostname
>> `puppetmaster-1-i-000000b9` @ `tenant-a.company.com` without any problem
>> (using `net ad join -U Administrator`) but, Winbind brings lots of others
>> problems, so, I'm trying to move to `sssd` instead...
>>
>> I really appreciate any help! I'm using Ubuntu 14.04.1 with my own small
>> PPA archive: http://launchpad.net/~martinx/+archive/ubuntu/ig
>>
>> Thanks!
>> Thiago
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20141006/6366f726/attachment.html>