domain join with --use-ldaps still uses port 389 for "LDAP ping"
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ADC |
Fix Released
|
Unknown
|
|||
| adcli (Ubuntu) |
Triaged
|
Low
|
Unassigned | ||
Bug Description
Attempting to join an Active Directory domain with realmd / adcli on Ubuntu 22.04 with the --use-ldaps switch (to force 636) still results with communication trying to happen over port 389. This appears to affect adcli version 0.9.1-1ubuntu2 that comes with Ubuntu 22.04 LTS, as an attempt on Ubuntu 20.04 LTS (with adcli version 0.9.0-1ubuntu0.
Based steps off of AWS-documented process to manually join a Linux machine to Active Directory, found here:
https:/
For the sake of simplifying things and not dragging realmd into this, we'll just use adcli for the join instead of realmd (as realmd just calls adcli under the covers anyway).
What I expected to happen:
The domain join process communicates with the domain controllers over port 636 and proceeds normally.
What happened instead:
The domain join process hangs on sending the NetLogon ping to each domain controller with the error "Couldn't perform discovery search: Can't contact LDAP server". Firewall logs show outbound traffic to the domain controllers over port 389.
Steps to reproduce:
1. Block port 389 with ufw: sudo ufw allow ssh; sudo ufw deny out 389; sudo ufw enable. Could also just confirm the 389 traffic by monitoring network/cloud firewall logs.
2. Install required packages: sudo apt -y install adcli sssd realmd krb5-user samba-common packagekit
3. Update krb5.conf as shown in the AWS document.
4. Execute the adcli join command: sudo adcli join --use-ldaps example.com -U example_user --verbose
| Andreas Hasenack (ahasenack) wrote | #1 |
| summary: |
- domain join with --use-ldaps using port 389 + domain join with --use-ldaps still uses port 389 for NetLogon ping |
| summary: |
- domain join with --use-ldaps still uses port 389 for NetLogon ping + domain join with --use-ldaps still uses port 389 for "LDAP ping" |
| Changed in adcli (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| importance: | Medium → Low |
| Changed in adc: | |
| status: | Unknown → New |
| Changed in adc: | |
| status: | New → Fix Released |
| Sergio Durigan Junior (sergiodj) wrote | #3 |
| Andreas Hasenack (ahasenack) wrote | #4 |
> This appears to affect adcli version 0.9.1-1ubuntu2 that comes with Ubuntu 22.04 LTS, as an
> attempt on Ubuntu 20.04 LTS (with adcli version 0.9.0-1ubuntu0.
Turns out focal is also affected, but you didn't capture it in your network sniffer, or by the iptables block, because in focal openldap has CLDAP support (connection-less ldap), which means said NetLogon ping happens via UDP:
root@f-
* Using domain name: INTERNAL.
* Calculated computer account name from fqdn: F-ADCLI-REALMD
* Calculated domain realm from name: INTERNAL.
* Discovering domain controllers: _ldap._
* Sending NetLogon ping to domain controller: win-kriet1e5elo
* Received NetLogon info from: WIN-KRIET1E5ELO
* Using LDAPS to connect to win-kriet1e5elo
* Wrote out krb5.conf snippet to /tmp/adcli-
! Couldn't authenticate as machine account: F-ADCLI-REALMD: Client 'F-ADCLI-
Password for <email address hidden>:
root@f-
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
20:22:52.902443 IP 10.0.16.12.56068 > 10.0.16.5.389: UDP, length 89
20:22:52.902920 IP 10.0.16.5.389 > 10.0.16.12.56068: UDP, length 205
I will file an issue with adcli upstream, because it will fallback[1] to "ldap" (instead of "ldaps" if --use-ldaps was given) if CLDAP is not supported.
For what is worth, the NetLogon ping/discovery is this type of query, and it seems to work fine via ldaps:
root@j-
dn:
netlogon:: FwAAAP3zAwBx2l+
1. https:/
2. https:/