Bug 211706

Summary:	Can't join an ADS with YaST samba-client module due missing realm
Product:	[openSUSE] openSUSE 10.2	Reporter:	Andreas Schneider <anschneider>
Component:	YaST2	Assignee:	Guenther Deschner <gd>
Status:	RESOLVED FIXED	QA Contact:	Jiri Srain <jsrain>
Severity:	Normal
Priority:	P5 - None	CC:	jsuchome, lmuelle, ralf, samba-maintainers
Version:	Alpha 5
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	YaST2 log file patch for /usr/share/YaST2/modules/SambaNetJoin.pm Patch for SambaNetJoin Yast2 Module

Description Andreas Schneider 2006-10-11 17:59:43 UTC

If you want to join a ADS you get an error message, that samba could not find the default realm for kinit.

It works just fine if you do it manually. (kinit, net ads join)

YaST log follows as attachement

Comment 1 Andreas Schneider 2006-10-11 18:01:21 UTC

Created attachment 101247 [details]
YaST2 log file

Comment 2 Jiří Suchomel 2006-10-12 08:03:20 UTC

And what is your correct realm?
What does "net ads info -S $server" (where $server is your AD server) report?

Comment 3 Andreas Schneider 2006-10-12 08:34:01 UTC

krikkit:~ # net ads info -S g234.suse.de
Failed to get server's current time!
LDAP server: 10.10.103.234
LDAP server name: sbs2003.SBS-TEST.site
Realm: SBS-TEST.SITE
Bind Path: dc=SBS-TEST,dc=SITE
LDAP port: 389
Server time: Thu, 01 Jan 1970 01:00:00 CET
KDC server: 10.10.103.234
Server time offset: 0

Comment 4 Jiří Suchomel 2006-10-12 08:57:16 UTC

According to the logs, yast2-samba-client tried to use SBS-TEST.SITE. Maybe your configuration is wrong.

Comment 5 Andreas Schneider 2006-10-12 09:41:45 UTC

Which configuration. The yast2-samba-client creates its own samba and kerberos configuration. If I set up a configuration manually and join the domain with the command line tools, it works just fine.

Comment 6 Jiří Suchomel 2006-10-12 10:30:41 UTC

Created attachment 101291 [details]
patch for /usr/share/YaST2/modules/SambaNetJoin.pm

Please patch your /usr/share/YaST2/modules/SambaNetJoin.pm, run yast2-samba-client again and when (during the join) the popup opens, fetch the temporary krb.conf file (found on the location popup tells about) and attach it to the bug.
(The file is removed after YaST module is finished).

Comment 7 Andreas Schneider 2006-10-12 12:47:29 UTC

Yes, the default_realm is missing. Fix follows as attachment.

Comment 8 Andreas Schneider 2006-10-12 12:48:15 UTC

Created attachment 101304 [details]
Patch for SambaNetJoin Yast2 Module

Comment 9 Jiří Suchomel 2006-10-12 12:54:31 UTC

Well, but isn't this a bug? Why should krb.conf need to containe "default_realm" key when it already provides the "realm" and the value is the same?

It worked before, so I wonder if something has changed in samba tools or if you have non-standard environment.

Guenther, could you comment?

Comment 10 Jiří Suchomel 2006-10-23 08:27:30 UTC

Guenther, Lars, please comment.

Comment 11 Guenther Deschner 2006-10-24 09:58:03 UTC

Yes, the new join code in 3.0.23c changes things. We have a patch to allow to define the realm as part of the username, so that yast can join like

net ads join -U administrator@MY.REALM%password

Digging that up, hold on.

Comment 12 Guenther Deschner 2006-10-24 12:01:14 UTC

Test package is at: http://w3.suse.de/~gd/samba-join-fix/

Jiri, Andreas, could you please have a look?

Comment 13 Guenther Deschner 2006-10-24 15:18:13 UTC

Now packages live at: 
http://w3.suse.de/~gd/samba-join-fix-i386  or http://w3.suse.de/~gd/samba-join-fix-x86_64/

Comment 14 Jiří Suchomel 2006-10-25 12:05:50 UTC

Do I understand it right? Does yast2-samba-client really have to change the way it calls the join command (comment #11)?

Currently, the realm is given in the temporary krb5.conf file and the join command looks like "KRB5_CONFIG=$tmp_krb_file net ads join -U administrator%password). AFAIK the problem Andreas pointed out that when krb.conf file doesn't contain "default_realm" key (while it _does_ contains the "realm"!) This is change from previous versions (see comment #9) - couldn't it be just fixed back, so the "default_realm" is not needed when "realm" is present?

If you really want to change the join command to include the realm, is the temporary krb.conf file still necessary?

Comment 15 Guenther Deschner 2006-10-26 18:53:50 UTC

(In reply to comment #14)
> Do I understand it right? Does yast2-samba-client really have to change the way
> it calls the join command (comment #11)?

No, but we needed to handle the case that you don't.

> Currently, the realm is given in the temporary krb5.conf file and the join
> command looks like "KRB5_CONFIG=$tmp_krb_file net ads join -U
> administrator%password). AFAIK the problem Andreas pointed out that when
> krb.conf file doesn't contain "default_realm" key (while it _does_ contains the
> "realm"!) This is change from previous versions (see comment #9) - couldn't it
> be just fixed back, so the "default_realm" is not needed when "realm" is
> present?

It should be fixed by now, but I need to do some more testing myself.

> If you really want to change the join command to include the realm, is the
> temporary krb.conf file still necessary?

Let me check.

Comment 16 Guenther Deschner 2006-10-27 13:36:26 UTC

having the temp. krb5.conf is still correct. no change required in that regard. With our currently committed samba package (apart from your very recent join fix in bug #215645) the joining was successful for me again.

Comment 17 Jiří Suchomel 2006-10-27 13:41:56 UTC

So I assume the problem is fixed in samba tools and no change in YaST needs to be  done for this issue.