[Bug 1906627] Re: adcli fails, can't contact LDAP server
Ubuntu Foundations Team Bug Bot
1906627 at bugs.launchpad.net
Sat Dec 5 00:34:01 UTC 2020
The attachment "Debdiff for adcli on Bionic" seems to be a debdiff. The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff. If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1906627
Title:
adcli fails, can't contact LDAP server
Status in adcli package in Ubuntu:
Fix Released
Status in cyrus-sasl2 package in Ubuntu:
Confirmed
Status in adcli source package in Bionic:
In Progress
Status in cyrus-sasl2 source package in Bionic:
In Progress
Bug description:
Package: adcli
Version: 0.8.2-1ubuntu1
Release: Ubuntu 18.04 LTS
When trying to join the domain with this new version of adcli, it gets
to the point of 'Using GSS-SPNEGO for SASL bind' and then it will not
do anything for 10 minutes. It will then fail, complaining it can't
reach the LDAP server.
Logs:
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Authenticated as user: domain-join-account at DOMAIN.COM
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Authenticated as user: domain-join-account at DOMAIN.COM
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Using GSS-SPNEGO for SASL bind
Dec 03 01:39:50 example001.domain.com realmd[6419]: * Using GSS-SPNEGO for SASL bind
Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup domain short name: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup domain short name: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using fully qualified name: example001.domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using fully qualified name: example001.domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain name: domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain name: domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using computer account name: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using computer account name: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain realm: domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using domain realm: domain.com
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Calculated computer account name from fqdn: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Calculated computer account name from fqdn: EXAMPLE001
Dec 03 01:55:27 example001.domain.com realmd[6419]: * With user principal: host/example001.domain.com at DOMAIN.COM
Dec 03 01:55:27 example001.domain.com realmd[6419]: * With user principal: host/example001.domain.com at DOMAIN.COM
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Generated 120 character computer password
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Generated 120 character computer password
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using keytab: FILE:/etc/krb5.keytab
Dec 03 01:55:27 example001.domain.com realmd[6419]: * Using keytab: FILE:/etc/krb5.keytab
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
Dec 03 01:55:27 example001.domain.com realmd[6419]: process exited: 6459
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Failed to join the domain
Dec 03 01:55:27 example001.domain.com realmd[6419]: ! Failed to join the domain
On the network level, adcli gets to the point of send an ldap query to
the domain controller and the domain controller returns an ack tcp
packet, but then there is no more traffic between the domain
controller and the server except for ntp packets until it fails.
The domain controller traffic also shows that it is receiving the ldap
query packet from the server but it never sends a reply and there is
no log in directory services regarding the query. We also couldn't
find anything in procmon regarding this query either.
Workaround/Fix:
Downgrading the adcli package back to version 0.8.2-1 fixes the issues and domain join works properly again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions
More information about the Ubuntu-sponsors
mailing list