[Bug 1906627] Re: adcli fails, can't contact LDAP server

Ubuntu Foundations Team Bug Bot 1906627 at bugs.launchpad.net
Sat Dec 5 00:34:01 UTC 2020


The attachment "Debdiff for adcli on Bionic" seems to be a debdiff.  The
ubuntu-sponsors team has been subscribed to the bug report so that they
can review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1906627

Title:
  adcli fails, can't contact LDAP server

Status in adcli package in Ubuntu:
  Fix Released
Status in cyrus-sasl2 package in Ubuntu:
  Confirmed
Status in adcli source package in Bionic:
  In Progress
Status in cyrus-sasl2 source package in Bionic:
  In Progress

Bug description:
  Package: adcli
  Version: 0.8.2-1ubuntu1
  Release: Ubuntu 18.04 LTS

  When trying to join the domain with this new version of adcli, it gets
  to the point of 'Using GSS-SPNEGO for SASL bind' and then it will not
  do anything for 10 minutes. It will then fail, complaining it can't
  reach the LDAP server.

  Logs:
  Dec 03 01:39:50 example001.domain.com realmd[6419]:  * Authenticated as user: domain-join-account at DOMAIN.COM
  Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
  Dec 03 01:39:50 example001.domain.com realmd[6419]:  * Authenticated as user: domain-join-account at DOMAIN.COM
  Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
  Dec 03 01:39:50 example001.domain.com realmd[6419]:  * Using GSS-SPNEGO for SASL bind
  Dec 03 01:39:50 example001.domain.com realmd[6419]:  * Using GSS-SPNEGO for SASL bind
  Dec 03 01:39:50 example001.domain.com adcli[6459]: GSSAPI client step 1
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  ! Couldn't lookup domain short name: Can't contact LDAP server
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  ! Couldn't lookup domain short name: Can't contact LDAP server
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using fully qualified name: example001.domain.com
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using fully qualified name: example001.domain.com
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using domain name: domain.com
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using domain name: domain.com
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using computer account name: EXAMPLE001
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using computer account name: EXAMPLE001
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using domain realm: domain.com
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using domain realm: domain.com
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Calculated computer account name from fqdn: EXAMPLE001
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Calculated computer account name from fqdn: EXAMPLE001
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * With user principal: host/example001.domain.com at DOMAIN.COM
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * With user principal: host/example001.domain.com at DOMAIN.COM
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Generated 120 character computer password
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Generated 120 character computer password
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using keytab: FILE:/etc/krb5.keytab
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  * Using keytab: FILE:/etc/krb5.keytab
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  ! Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  ! Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
  Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
  Dec 03 01:55:27 example001.domain.com realmd[6419]: adcli: joining domain domain.com failed: Couldn't lookup computer account: EXAMPLE001$: Can't contact LDAP server
  Dec 03 01:55:27 example001.domain.com realmd[6419]: process exited: 6459
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  ! Failed to join the domain
  Dec 03 01:55:27 example001.domain.com realmd[6419]:  ! Failed to join the domain

  On the network level, adcli gets to the point of send an ldap query to
  the domain controller and the domain controller returns an ack tcp
  packet, but then there is no more traffic between the domain
  controller and the server except for ntp packets until it fails.

  The domain controller traffic also shows that it is receiving the ldap
  query packet from the server but it never sends a reply and there is
  no log in directory services regarding the query. We also couldn't
  find anything in procmon regarding this query either.

  Workaround/Fix:
  Downgrading the adcli package back to version 0.8.2-1 fixes the issues and domain join works properly again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+subscriptions



More information about the Ubuntu-sponsors mailing list