Windows Server 2025 domain join fail Message stream modified #7751
Labels
SSSD-Jira
Already cloned to SSSD Jira for tracking task breaking down purposes
Comments
|
Please report this against https://gitlab.freedesktop.org/realmd/adcli/-/issues Or do I miss something and there are also issues with SSSD? |
andreboscatto
added
the
SSSD-Jira
|
Will do.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Alexey A Tikhonov ***@***.***>
Sent: Friday, December 6, 2024 2:25:30 AM
To: SSSD/sssd ***@***.***>
Cc: nerdpyle ***@***.***>; Author ***@***.***>
Subject: Re: [SSSD/sssd] Windows Server 2025 domain join fail Message stream modified (Issue #7751)
Please report this against https://gitlab.freedesktop.org/realmd/adcli/-/issues
Or do I miss something and there are also issues with SSSD?
—
Reply to this email directly, view it on GitHub<#7751 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AG22METIBDX6MNAB3MZI6BL2EF3RVAVCNFSM6AAAAABTDM4LHGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRSG43DANZWG4>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
@nerdpyle I have received a confirmation from Steve Syfuhs that it is indeed a regression in Windows Server 2025: https://hachyderm.io/@SteveSyfuhs/113652185587416636
|
|
Aha good man, Steve came through. Thanks!
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Alexander Bokovoy ***@***.***>
Sent: Sunday, December 15, 2024 12:26:31 AM
To: SSSD/sssd ***@***.***>
Cc: nerdpyle ***@***.***>; Mention ***@***.***>
Subject: Re: [SSSD/sssd] Windows Server 2025 domain join fail Message stream modified (Issue #7751)
@nerdpyle<https://github.com/nerdpyle> I have received a confirmation from Steve Syfuhs that it is indeed a regression in Windows Server 2025:
***@***.***/113652185587416636
yeah it's a bug on our end. Spec is right. We're fixing the bug. Our
crypto agility overhaul to include sha256/384 introduced it. Amazingly
we even have a test for this exact thing...that mocked out the relevant
response check. Oops.
—
Reply to this email directly, view it on GitHub<#7751 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AG22MESGY3DFL4BNPGZG6AL2FU4LPAVCNFSM6AAAAABTDM4LHGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBTGU2TKMRQG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Any PR linked to this? or related issues? |
This is a regression in in Windows Server 2025: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Repro environment
Ubuntu 24.04.1 LTS
Repro
sudo apt -y update && sudo apt upgrade -y
sudo apt -y install libnss-sss libpam-sss sssd sssd-tools adcli krb5-user
sudo hostnamectl set-hostname ubuntu-24-srv-01.corp.contoso.com
sudo nano /etc/krb5.conf
[libdefaults]
default_realm = CORP.CONTOSO.COM
rdns = false
sudo adcli info corp.contoso.com
sudo nano /etc/sssd/sssd.conf
[sssd]
domains = corp.contoso.com
config_file_version = 2
services = nss
[domain/acme.local]
ad_domain = corp.contoso.com
krb5_realm = CORP.CONTOSO.COM
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = false
access_provider = ad
sudo chmod 600 /etc/sssd/sssd.conf
sudo adcli join --domain CORP.CONTOSO.COM --service-name=cifs --computer-name UBUNTU-24-SRV-01 --host-fqdn ubuntu-24-srv-01.CORP.CONTOSO.COM -v -U administrator
Password for [email protected]:
! Couldn't set password for computer account: UBUNTU-24-SRV-01$: Message stream modified
adcli: joining domain CORP.CONTOSO.COM failed: Couldn't set password for computer account: UBUNTU-24-SRV-01$: Message stream modified
This works fine with exact same libs, syntax, and Linux OS joining WS2019 DC domain (in 2012R2 DFL/FFL) and WS2022 DC domain (in WS2016 DFL/FFL).
Two significant things that changed with WS2025 domains:
The text was updated successfully, but these errors were encountered: