diff options
| author | Sumit Bose <sbose@redhat.com> | 2022-01-15 20:23:50 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2022-09-27 15:48:45 +0200 |
| commit | 8183e456008b9ddb495143f663ad9d56851aeb19 (patch) | |
| tree | 2a3345d5f05bc98c671e48b461989271174b98c4 /doc | |
| parent | 1a6e1d520ce0376a9a44b649ef08085881c87bb4 (diff) | |
adenroll: set password via LDAP instead Kerberos
Use LDAP add/mod operation instead of Kerberos to set the machine
account password.
There was an issue in AD where if PacRequestorEnforcement was set to '2'
setting the machine account password via Kerberos would be rejected.
This is already fixed on the AD side bit this patch which was created
with the help of David Mulder <dmulder@suse.com> might still be useful
if setting the machine account password with Kerberos might fail.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2039349
Resolves: https://gitlab.freedesktop.org/realmd/adcli/-/issues/27
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/adcli.xml | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/doc/adcli.xml b/doc/adcli.xml index 324ce06..93e1520 100644 --- a/doc/adcli.xml +++ b/doc/adcli.xml @@ -426,6 +426,17 @@ Password for Administrator: be used to specific an alternative location with the help of an absolute path.</para></listitem> </varlistentry> + <varlistentry> + <term><option>--ldap-passwd</option></term> + <listitem><para>Use LDAP add/mod operations to set the + machine account password instead of Kerberos. This + might help in some situations where Kerberos fails or + is unreliable. But please note that 'Change password' + or 'Reset password' permissions or similar might be + needed to make the LDAP operation work. Additionally + there will be no read-only domain controller (RODC) + support as there is with Kerberos.</para></listitem> + </varlistentry> </variablelist> <para>If supported on the AD side the @@ -621,6 +632,17 @@ $ adcli update --login-ccache=/tmp/krbcc_123 be used to specific an alternative location with the help of an absolute path.</para></listitem> </varlistentry> + <varlistentry> + <term><option>--ldap-passwd</option></term> + <listitem><para>Use LDAP add/mod operations to set the + machine account password instead of Kerberos. This + might help in some situations where Kerberos fails or + is unreliable. But please note that 'Change password' + or 'Rest password' permissions or similar might be + needed to make the LDAP operation work. Additionally + there will be no read-only domain controller (RODC) + support as there is with Kerberos.</para></listitem> + </varlistentry> </variablelist> <para>If supported on the AD side the |