adcli delete-computer fails when run as root because of keytab access
Andrew Klaassen
andrew.klaassen at boatrocker.com
Wed Jul 17 14:26:33 UTC 2024
> From: Authentication <authentication-bounces at lists.freedesktop.org> On Behalf Of Sumit Bose
> Sent: Wednesday, July 17, 2024 3:36 AM
>
> Am Tue, Jul 16, 2024 at 03:26:16PM +0000 schrieb Andrew Klaassen:
> > I just came across a curious behaviour with adcli delete-computer where it
> doesn't work when run as root but does work when run as a regular user.
> >
> > It turns out that it's because our Linux machines are joined to two different
> domains with two different keytabs. Running a command like this:
> >
> > $ adcli delete-computer --domain=$SECONDARY_DOMAIN --login-user=$
> > SERVICE_USER $MACHINE_NAME
> >
> > ...works fine. Running it as root:
> >
> > $ sudo adcli delete-computer --domain=$SECONDARY_DOMAIN
> > --login-user=$SERVICE_USER $MACHINE_NAME
> >
> > ...fails with "adcli: couldn't connect to <SECONDARY_DOMAIN> domain:
> Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more information
> (Server not found in Kerberos database)"
> >
> > Running both with KRB5_TRACE=/dev/stdout, there are a bunch of places
> where the sudo version is adding the name of our ~primary~ domain to the
> secondary domain queries and failing. The regular user version doesn't do
> that.
> >
> > Running both with strace, I see that the sudo version successfully opens
> /etc/krb5.keytab, which is the keytab for our primary domain, and gets
> domain info from it, which leads to the failure. The regular user version isn't
> able to open /etc/krb5.keytab, so it respects the domain specified on the
> command line and succeeds.
> >
>
> Hi,
>
> thank you for your report. If a domain is given on the command line, it should
> be preferred over the discovered domain/realm from the keytab.
>
> Would you mind to open a new issue at
> https://gitlab.freedesktop.org/realmd/adcli/-/issues/new for better tracking
> and visibility? If you prefer I can open it as well and copy the content of your
> original email.
Hi Sumit,
Issue created:
https://gitlab.freedesktop.org/realmd/adcli/-/issues/38
I also attached KRB5_TRACE and strace output to the issue.
Thanks.
Andrew
More information about the Authentication
mailing list