#47411 – Не вводит в домен Active Directory с помощью Winbind (NT_STATUS_INVALID_PARAMETER)

Bug 47411 - Не вводит в домен Active Directory с помощью Winbind (NT_STATUS_INVALID_PARAMETER)

Summary: Не вводит в домен Active Directory с помощью Winbind (NT_STATUS_INVALID_PARAM...

Status:	NEW

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	realmd (show other bugs)
Version:	unstable
Hardware:	x86_64 Linux

Importance:	P5 normal
Assignee:	Alexey Shabalin
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-08-30 21:11 MSK by Evgeny Shesteperov
Modified:	2023-08-30 21:11 MSK (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Evgeny Shesteperov 2023-08-30 21:11:44 MSK

Не вводит в домен Active Directory с помощью Winbind (NT_STATUS_INVALID_PARAMETER)

Версия

-   realmd-0.17.1-alt4

Стенд

-   ALT Workstation 10.1 (Sisyphus) - Samba Client
-   ALT Server 10.1 (Sisyphus) - Samba Server

Шаги воспроизведения

Установить пакет:

    # apt-get install -y realmd

Добавить resolv для Samba, настроить имя:

    hostnamectl set-hostname client1 && \
    DOMAINNAME="samba.testdomain" && \
    SERVERIP=<DOMAIN SERVER IP> && \
    echo -e "name_servers=$SERVERIP\nsearch_domains=$DOMAINNAME" >> /etc/resolvconf.conf && \
    reboot

Выполнить присоединение к домену с указанием Winbind:

    # realm join --verbose --client-software=winbind samba.testdomain --user Administrator

Ожидаемый результат: успешный ввод в домен без ошибок.

Фактический результат:

     * Resolving: _ldap._tcp.samba.testdomain
     * Performing LDAP DSE lookup on: XXX
     * Performing LDAP DSE lookup on: XXX
     * Successfully discovered: samba.testdomain
    Пароль для Administrator:
     * Required files: /usr/sbin/winbindd, /usr/bin/wbinfo, /usr/bin/net
     * LANG=C LOGNAME=root /usr/bin/net --configfile /var/cache/realmd/realmd-smb-conf.DTFBA2 -U Administrator --use-kerberos=required ads join samba.testdomain
    Password for [SAMBA\Administrator]:DNS update failed: NT_STATUS_INVALID_PARAMETER

    Using short domain name -- SAMBA
    Joined 'CLIENT1' to dns domain 'samba.testdomain'
    No DNS domain configured for client1. Unable to perform DNS Update.
     * LANG=C LOGNAME=root /usr/bin/net --configfile /var/cache/realmd/realmd-smb-conf.DTFBA2 -U Administrator ads keytab create
    Password for [SAMBA\Administrator]:
     * /sbin/chkconfig winbind on
    Внимание: Отправляется запрос 'systemctl enable winbind.service'.
    Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable winbind
    Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /lib/systemd/system/winbind.service.
     * /sbin/service winbind restart
     * /usr/sbin/control system-auth winbind
     * Successfully enrolled machine in realm

Примечание: Судя по гуглу, довольно частая проблема при эксплуатации
winbind. Тот же alterator-auth использует --no-dns-updates опцию.

    # cat /usr/sbin/system-auth | grep -E "\-\-no-dns-updates"
        $net_cmd ads join --use-kerberos=required --no-dns-updates --use-krb5-ccache="$krb_ccache_name" $OU osName="$OS_NAME" osVer="$OS_VER"