adcli no puede unirse a AD con la opción LDAPS

tag-icon tag-icon active-directory ubuntu-18.04 sssd
adcli no puede unirse a AD con la opción LDAPS

Tengo problemas con adcli en ubuntu 18.04 que se actualizó recientemente con la opción ldaps.

Parece que no puede encontrar el nombre corto de AD y tampoco logra conectarse a LDAP incluso cuando se especifica la CA en el comando y con /etc/ldap/ldap.conf

También intenté configurar ldap_uri en la configuración SSSD sin suerte tampoco.

me@lnx-node-1:~# LDAPTLS_CACERT=/usr/local/share/ca-certificates/domain-ca.pem adcli join -U me-admin --domain=ad.somewhere.com -v
     * Using domain name: AD.SOMEWHERE.COM
     * Calculated computer account name from fqdn: LNX-NODE-1
     * Calculated domain realm from name: AD.SOMEWHERE.COM
     * Discovering domain controllers: _ldap._tcp.AD.SOMEWHERE.COM
     * Sending netlogon pings to domain controller: ldap://[####:650:###:d314::dc1]
     * Sending netlogon pings to domain controller: cldap://####.###.160.19
     * Sending netlogon pings to domain controller: ldap://[####:630:###:d314::dc4]
     * Sending netlogon pings to domain controller: cldap://###.###.160.59
     * Sending netlogon pings to domain controller: ldap://[####:630:###:e010::dc2]
     * Received NetLogon info from: itsdc-1.ad.somewhere.com
     * Wrote out krb5.conf snippet to /tmp/adcli-krb5-H8CKiH/krb5.d/adcli-krb5-conf-vv3c80
    Password for [email protected]: 
     * Authenticated as user: [email protected]
     * Using GSS-SPNEGO for SASL bind
     * ! Couldn't lookup domain short name: Can't contact LDAP server
     * Using fully qualified name: lnx-node-1.ad.somewhere.com
     * Using domain name: AD.SOMEWHER.COM
     * Using computer account name: LNX-NODE-1
     * Using domain realm: AD.SOMEWHER.COM
     * Calculated computer account name from fqdn: LNX-NODE-1
     * Generated 120 character computer password
     * Using keytab: FILE:/etc/krb5.keytab
     ! Couldn't lookup computer account: LNX-NODE-1$: Can't contact LDAP server
    adcli: joining domain AD.SOMEWHERE.COM failed: Couldn't lookup computer account: LNX-NODE-1$: Can't contact LDAP server

ACTUALIZACIÓN: Se administró una solución temporal para degradar los paquetes adcli apt install adcli=0.8.2-1, aún necesita una solución.

Respuesta1

Parece que hay un problema reportado aquí:

https://bugs.launchpad.net/ubuntu/bionic/+source/adcli/+bug/1906627

apt ya no instala la versión rota (0.8.2-1ubuntu1) de este paquete.

apt-cache policy adcli
adcli:
  Installed: 0.8.2-1
  Candidate: 0.8.2-1
  Version table:
 *** 0.8.2-1 500
        500 http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status

información relacionada