Bug 14363 - net ads join create object with invalid dnsname and host/ principals
Summary: net ads join create object with invalid dnsname and host/ principals
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.9.2
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-03 17:19 UTC by Jeffrey Clark
Modified: 2020-05-03 19:23 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeffrey Clark 2020-05-03 17:19:04 UTC
`net ads join` dNSname change went into 4.10, and subsequently CentOS 7.8.2003 which results in an invalid value on the object in AD, and incorrect service principals being created on join.

Old behavior, use the system reported fqdn for the dNSname.

New behavior, append the netbios name and the realm.

Although there was a new parameter added to provide a way for "addtional dns names", there are two problems with this approach.

1. An AD model which restricts creating additional principals on join (eg. join only account), doesn't allow these additional principals.
2. Assuming the netbios + realm result in a resolvable dnsname doesn't account for use cases where the system being joined is in a different dns domain.

There doesn't seem to be a way to override this assumption with a parameter.

Results in the incorrect dNSdomain value in the DC object, and host/ service principals that can't be used.

Considering there are options to set the realm, netbios name, and additional dns names, it would seem reasonable to also allow overriding the assumed (default) dnsname?

My specific use case. Satellite offices and dev environments have their own dns domain, but not a local DC or realm, and join the region or head-office DC which may have a different realm and/or dns domain.


Changed with bug 14116
https://gitlab.com/samba-team/samba/-/merge_requests/765

Other possibly related issues with the changes:
https://access.redhat.com/solutions/4758031