Bug 49841 - WERR_INVALID_COMPUTERNAME при настройке с Windows AD
Summary: WERR_INVALID_COMPUTERNAME при настройке с Windows AD
Status: NEW
Alias: None
Product: Branch p10
Classification: Unclassified
Component: cepces (show other bugs)
Version: не указана
Hardware: x86_64 Linux
: P5 normal
Assignee: Evgeny Sinelnikov
QA Contact: qa-p10@altlinux.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-29 20:47 MSK by Evgeny Shesteperov
Modified: 2024-03-29 20:48 MSK (History)
0 users

See Also:

Attachments
Подробное описание (125.61 KB, application/pdf)
2024-03-29 20:47 MSK, Evgeny Shesteperov 		no flags Details
cepces.log (22.40 KB, text/x-log)
2024-03-29 20:48 MSK, Evgeny Shesteperov 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Shesteperov 2024-03-29 20:47:38 MSK 
Created attachment 15763 [details]
Подробное описание

Версия

-   cepces-0.3.7-alt1
-   samba-4.19.4-alt1

Шаги воспроизведения

К багу прикреплён документ с более подробными шагами.

1.  Развернуть Windows AD в качестве домена.

2.  Настроить Службы сертификации

3.  Настроить автоматической регистрации сертификата сервера -
    https://learn.microsoft.com/ru-ru/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment

4.  Настроить общий каталога на сервере для передачи сертификатов.

5.  Выполнить настройку сервера IIS.

6.  Выполнить настройку клиентов:

        mkdir -p /mnt/adshare && mount -v -t cifs -o user=Admin //addc.windows.testdomain/share /mnt/adshare && l /mnt/adshare
        cp /mnt/adshare/windowsad.cer /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust && \ trust list | grep windows
        cp /mnt/adshare/windowsad-root.cer /etc/pki/ca-trust/source/anchors/ && \ update-ca-trust && \ trust list | grep windows-addc-ca -i
        apt-get install -y cepces cepces-certmonger python3-module-cepces samba-gpupdate
        mkdir -p /etc/pki/trust/anchors

7.  Настроить cepces по умолчанию:

        sed -i "s/^server=.*/server=addc.windows.testdomain/" /etc/cepces/cepces.conf && grep 'server=' /etc/cepces/cepces.conf

8.  Убедиться, что cepces зарегистрирован в certmonger на клиенте:

        # getcert list-cas -c cepces

9.  Выполнить команду:

        # samba-gpupdate --rsop

Ожидаемый результат: Присутствует запрос на сертификат

    . . . . .
      CSE: gp_cert_auto_enroll_ext
      ------------------------------------------
        Policy Type: Auto Enrollment Policy
        ------------------------------------------
        [ windows-ADDC-CA ] = 
          [ CA Certificate ] = 
    -----BEGIN CERTIFICATE-----
    MIIDeTCCAmGgAwIBAgIQEVQMb91+MIFOi+qNlMEj8TANBgkqhkiG9w0BAQUFADBP
    MRowGAYKCZImiZPyLGQBGRYKdGVzdGRvbWFpbjEXMBUGCgmSJomT8ixkARkWB3dp
    bmRvd3MxGDAWBgNVBAMTD3dpbmRvd3MtQUREQy1DQTAeFw0yMzExMTMxNzI1NDla
    Fw0yODExMTMxNzM1NDhaME8xGjAYBgoJkiaJk/IsZAEZFgp0ZXN0ZG9tYWluMRcw
    FQYKCZImiZPyLGQBGRYHd2luZG93czEYMBYGA1UEAxMPd2luZG93cy1BRERDLUNB
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+z3fCd4iEgpUJhaw1xd
    xTMLbmP98f9CCM9Z7kO6C5SOF/GKvvWWj/2kmzYhKJN/poMbDL+jEc58VetThvYL
    DYVxkuucJNYu6aFD3H7t1mW7A/zMQomNmvZoz4kKtbUwUyITYl0jHlZyiNjKJLgY
    k2qdvAOz3sZR+6muawnOSNd53ETbplVkSJQDgl+HsDrDiW/Bv2BEAwA06tH8PV4p
    QiIF+EnWnxTIFb8J6rcySO/2ZSqC+yBJBFcNx+8tAaiqRngGJiOpTT3To/Ztiej1
    q9oeXe60ZCelazu9ng0yu21Cg7R9ReQbMbcmbjES7wNSvtCo/F6p2ST9f4IRAzQo
    4wIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
    FgQUEJnKq+DRRWHpaNstEWXS/9ABUPQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI
    hvcNAQEFBQADggEBACEOCu/l1oeA/qSUue2SAz2e8p+Xi0bqpULt082X4+A1Fg4R
    5JAei5nmsb9/bMflqMJQBCIXUwgZDYpx9sQHO5HVUfbrBX/m3XLV84NmbWRULqvZ
    nqcnKXfuizSpdpEYauFic8JV7vQXvl57OzxztKmHz4gmDurJHaEyWJLllCLSVpnq
    GH8WW0QvzVMC1rcwTBCxl/zIk0Oh2IOEyq7l39X5JJL84YixldENGofCziqnoWJ+
    jhLKQHfoTY0odSR/Y/ppTCHVPkUb7XWVgdqNSCJF93XqoapMnt9+PSXtwo37i2uz
    yFYV55jGtvu49vh+pliarupKFkcnXOP28eVO7kc=
    -----END CERTIFICATE-----
          [ Auto Enrollment Server ] = addc.windows.testdomain
          [ Templates ] = 
            [ Machine ]
    . . . . .

Фактический результат: Ошибка:

    Traceback (most recent call last):
      File "/usr/lib64/python3/site-packages/samba/gp/gpclass.py", line 764, in site_dn_for_machine
        site_name = c.netr_DsRGetSiteName(hostname)
    samba.WERRORError: (1210, 'WERR_INVALID_COMPUTERNAME')

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "/usr/sbin/samba-gpupdate", line 131, in <module>
        rsop(lp, creds, store, gp_extensions, username, opts.target)
      File "/usr/lib64/python3/site-packages/samba/gp/gpclass.py", line 1041, in rsop
        gpos = get_gpo_list(dc_hostname, creds, lp, username)
      File "/usr/lib64/python3/site-packages/samba/gp/gpclass.py", line 869, in get_gpo_list
        site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
      File "/usr/lib64/python3/site-packages/samba/gp/gpclass.py", line 772, in site_dn_for_machine
        raise ldb.LdbError(ldb.ERR_NO_SUCH_OBJECT,
    _ldb.LdbError: (32, 'site_dn_for_machine: no result')

В Sisyphus не воспроизводится:

-   cepces-0.3.8-alt1
-   samba-4.19.5-alt2
Comment 1 Evgeny Shesteperov 2024-03-29 20:48:06 MSK 
Created attachment 15764 [details]
cepces.log