stephdl
(Stéphane de Labrusse)
February 11, 2017, 6:39am
1
Join the client to the realm with realmd.
Allow TCP/UDP 111,2049 on server firewall. Other ports not needed for v4.
yum install nfs-utils on both.
Add lines below to /etc/exports on server. Can possibly be simplified, needs further investigation.
Correctly set domain in /etc/idmapd.conf on both.
systemctl start nfs-idmap on both.
systemctl start nfs-server on server.
net -u administrator ads keytab add nfs on server.
systemctl start nfs-utils on client.
mount -t nfs4 -o sec=krb5p neth.example.com :/foo /mnt/foo on client.
Trying to follow this I miserably fail on the first command, I cannot reach the samba domain
realm join stephdl.dyndns.org
the logs are here
[root@leo lsd]# journalctl REALMD_OPERATION=r82457.12384
-- Logs begin at dim. 2017-01-29 19:41:40 CET, end at sam. 2017-02-11 07:36:37 CET. --
févr. 11 07:35:23 leo.lan realmd[12370]: * Resolving: _ldap._tcp.stephdl.dyndns.org
févr. 11 07:35:23 leo.lan realmd[12370]: * Resolving: stephdl.dyndns.org
févr. 11 07:35:23 leo.lan realmd[12370]: * Performing LDAP DSE lookup on: 192.168.12.69
févr. 11 07:35:23 leo.lan realmd[12370]: * Successfully discovered: stephdl.dyndns.org
févr. 11 07:35:35 leo.lan realmd[12370]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
févr. 11 07:35:35 leo.lan realmd[12370]: * LANG=C /usr/sbin/adcli join --verbose --domain stephdl.dyndns.org --domain-realm STEPHDL.DYNDNS.ORG --domain-controller 192.168.12.69 --login-type user --login-user Ad
févr. 11 07:35:35 leo.lan realmd[12370]: * Using domain name: stephdl.dyndns.org
févr. 11 07:35:35 leo.lan realmd[12370]: * Calculated computer account name from fqdn: LEO
févr. 11 07:35:35 leo.lan realmd[12370]: * Using domain realm: stephdl.dyndns.org
févr. 11 07:35:35 leo.lan realmd[12370]: * Sending netlogon pings to domain controller: cldap://192.168.12.69
févr. 11 07:35:37 leo.lan realmd[12370]: * Received NetLogon info from: nsdc-ns7dev2.stephdl.dyndns.org
févr. 11 07:35:37 leo.lan realmd[12370]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-SFOpyg/krb5.d/adcli-krb5-conf-5fAwHk
févr. 11 07:35:37 leo.lan realmd[12370]: ! Couldn't authenticate as: Administrator@STEPHDL.DYNDNS.ORG: Preauthentication failed
févr. 11 07:35:37 leo.lan realmd[12370]: adcli: couldn't connect to stephdl.dyndns.org domain: Couldn't authenticate as: Administrator@STEPHDL.DYNDNS.ORG: Preauthentication failed
févr. 11 07:35:37 leo.lan realmd[12370]: ! Failed to join the domain
I tried to use the password of admin and the default one of Nethesis,1234. If I use the password of Administrator I have a different error message
[root@leo lsd]# journalctl REALMD_OPERATION=r82827.12605
-- Logs begin at dim. 2017-01-29 19:41:40 CET, end at sam. 2017-02-11 07:41:44 CET. --
févr. 11 07:41:33 leo.lan realmd[12530]: * Resolving: _ldap._tcp.stephdl.dyndns.org
févr. 11 07:41:33 leo.lan realmd[12530]: * Resolving: stephdl.dyndns.org
févr. 11 07:41:33 leo.lan realmd[12530]: * Performing LDAP DSE lookup on: 192.168.12.69
févr. 11 07:41:33 leo.lan realmd[12530]: * Successfully discovered: stephdl.dyndns.org
févr. 11 07:41:44 leo.lan realmd[12530]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
févr. 11 07:41:44 leo.lan realmd[12530]: * LANG=C /usr/sbin/adcli join --verbose --domain stephdl.dyndns.org --domain-realm STEPHDL.DYNDNS.ORG --domain-controller 192.168.12.69 --login-type user --login-user Ad
févr. 11 07:41:44 leo.lan realmd[12530]: * Using domain name: stephdl.dyndns.org
févr. 11 07:41:44 leo.lan realmd[12530]: * Calculated computer account name from fqdn: LEO
févr. 11 07:41:44 leo.lan realmd[12530]: * Using domain realm: stephdl.dyndns.org
févr. 11 07:41:44 leo.lan realmd[12530]: * Sending netlogon pings to domain controller: cldap://192.168.12.69
févr. 11 07:41:44 leo.lan realmd[12530]: * Received NetLogon info from: nsdc-ns7dev2.stephdl.dyndns.org
févr. 11 07:41:44 leo.lan realmd[12530]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-K4eLn4/krb5.d/adcli-krb5-conf-tNgRqU
févr. 11 07:41:44 leo.lan realmd[12530]: * Authenticated as user: Administrator@STEPHDL.DYNDNS.ORG
févr. 11 07:41:44 leo.lan realmd[12530]: ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found
févr. 11 07:41:44 leo.lan realmd[12530]: adcli: couldn't connect to stephdl.dyndns.org domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
févr. 11 07:41:44 leo.lan realmd[12530]: ! Insufficient permissions to join the domain
the /var/cache/realmd/adcli-krb5-K4eLn4/krb5.d/adcli-krb5-conf-tNgRqU
[realms]
STEPHDL.DYNDNS.ORG = {
kdc = 192.168.12.69:88
master_kdc = 192.168.12.69:88
kpasswd_server = 192.168.12.69
}
[domain_realm]
nsdc-ns7dev2.stephdl.dyndns.org = STEPHDL.DYNDNS.ORG
192.168.12.69 = STEPHDL.DYNDNS.ORG
any hints are welcome @davidep @giacomo
Ctek
(Bogdan C)
February 11, 2017, 8:43am
2
Hi Steph,
have you checked that the server is reachable from the client ? added into hosts file and that it can be resolved from nslookup?
Also that the first DNS is the Nethserver
2 Likes
stephdl
(Stéphane de Labrusse)
February 11, 2017, 8:52am
3
No chances
[root@leo lsd]# nslookup stephdl.dyndns.org
Server: 192.168.12.171 # NS7 IP
Address: 192.168.12.171#53
Non-authoritative answer:
Name: stephdl.dyndns.org
Address: 192.168.12.69 #IP CONTAINER
[root@leo lsd]# cat /etc/hosts |grep stephdl
192.168.12.69 stephdl.dyndns.org
logs
[root@leo lsd]# journalctl REALMD_OPERATION=r90504.16845
-- Logs begin at dim. 2017-01-29 19:41:40 CET, end at sam. 2017-02-11 09:49:36 CET. --
févr. 11 09:49:29 leo.lan realmd[16830]: * Resolving: _ldap._tcp.stephdl.dyndns.org
févr. 11 09:49:29 leo.lan realmd[16830]: * Performing LDAP DSE lookup on: 192.168.12.69
févr. 11 09:49:29 leo.lan realmd[16830]: * Successfully discovered: stephdl.dyndns.org
févr. 11 09:49:35 leo.lan realmd[16830]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
févr. 11 09:49:35 leo.lan realmd[16830]: * LANG=C /usr/sbin/adcli join --verbose --domain stephdl.dyndns.org --domain-realm STEPHDL.DYNDNS.ORG --domain-controller 192.168.12.69 --login-type user --login-user Ad
févr. 11 09:49:35 leo.lan realmd[16830]: * Using domain name: stephdl.dyndns.org
févr. 11 09:49:35 leo.lan realmd[16830]: * Calculated computer account name from fqdn: LEO
févr. 11 09:49:35 leo.lan realmd[16830]: * Using domain realm: stephdl.dyndns.org
févr. 11 09:49:35 leo.lan realmd[16830]: * Sending netlogon pings to domain controller: cldap://192.168.12.69
févr. 11 09:49:36 leo.lan realmd[16830]: * Received NetLogon info from: nsdc-ns7dev2.stephdl.dyndns.org
févr. 11 09:49:36 leo.lan realmd[16830]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-wprfzo/krb5.d/adcli-krb5-conf-c6GiWA
févr. 11 09:49:36 leo.lan realmd[16830]: ! Couldn't authenticate as: Administrator@STEPHDL.DYNDNS.ORG: Preauthentication failed
févr. 11 09:49:36 leo.lan realmd[16830]: adcli: couldn't connect to stephdl.dyndns.org domain: Couldn't authenticate as: Administrator@STEPHDL.DYNDNS.ORG: Preauthentication failed
févr. 11 09:49:36 leo.lan realmd[16830]: ! Failed to join the domain
Ctek
(Bogdan C)
February 11, 2017, 9:10am
4
try this:
kinit Administrator
net ads join -k
stephdl
(Stéphane de Labrusse)
February 11, 2017, 9:18am
5
I supposed that I have to do it on the server
[root@NS7DEV2 ~]# kinit Administrator
Password for Administrator@STEPHDL.DYNDNS.ORG:
[root@NS7DEV2 ~]# net ads join -k
Failed to join domain: failed to lookup DC info for domain 'STEPHDL.DYNDNS.ORG' over rpc: An internal error occurred.
stephdl
(Stéphane de Labrusse)
February 11, 2017, 9:21am
7
[root@leo lsd]# kinit Administrator
bash: kinit: commande inconnue...
Commande similaire : 'init'
Ctek
(Bogdan C)
February 11, 2017, 9:24am
8
or via samba : net ads join -U Administrator
stephdl
(Stéphane de Labrusse)
February 11, 2017, 9:25am
9
on the client
[root@leo lsd]# net ads join -U Administrator
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
f…window environment
stephdl
(Stéphane de Labrusse)
February 11, 2017, 9:30am
10
Chewi
(James Le Cuirot)
February 11, 2017, 9:40am
11
Hmm I wish I could remember but it was nearly 2 months ago. On Monday, I should be able to check the command history of the system I tried it on. I don’t remember it being particularly difficult. Did you try this?
realm join --user=Administrator@stephdl.dyndns.org stephdl.dyndns.org
2 Likes
stephdl
(Stéphane de Labrusse)
February 11, 2017, 9:57am
12
[root@leo lsd]# realm join --user=Administrator@stephdl.dyndns.org stephdl.dyndns.org
Password for Administrator@stephdl.dyndns.org:
See: journalctl REALMD_OPERATION=r94425.19016
realm: Couldn't join realm: Failed to join the domain
[root@leo lsd]# journalctl REALMD_OPERATION=r94425.19016
-- Logs begin at dim. 2017-01-29 19:41:40 CET, end at sam. 2017-02-11 10:55:01 CET. --
févr. 11 10:54:51 leo.lan realmd[19020]: * Resolving: _ldap._tcp.stephdl.dyndns.org
févr. 11 10:54:51 leo.lan realmd[19020]: * Performing LDAP DSE lookup on: 192.168.12.56
févr. 11 10:54:51 leo.lan realmd[19020]: * Successfully discovered: stephdl.dyndns.org
févr. 11 10:55:00 leo.lan realmd[19020]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
févr. 11 10:55:00 leo.lan realmd[19020]: * LANG=C /usr/sbin/adcli join --verbose --domain stephdl.dyndns.org --domain-realm STEPHDL.DYNDNS.ORG --domain-controller 192.168.12.56 --login-type user --login-user Ad
févr. 11 10:55:00 leo.lan realmd[19020]: * Using domain name: stephdl.dyndns.org
févr. 11 10:55:00 leo.lan realmd[19020]: * Calculated computer account name from fqdn: LEO
févr. 11 10:55:00 leo.lan realmd[19020]: * Using domain realm: stephdl.dyndns.org
févr. 11 10:55:00 leo.lan realmd[19020]: * Sending netlogon pings to domain controller: cldap://192.168.12.56
févr. 11 10:55:00 leo.lan realmd[19020]: * Received NetLogon info from: nsdc-ns7dev.stephdl.dyndns.org
févr. 11 10:55:00 leo.lan realmd[19020]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-91A1Gm/krb5.d/adcli-krb5-conf-jgO5UN
févr. 11 10:55:01 leo.lan realmd[19020]: ! Couldn't get kerberos ticket for: Administrator@stephdl.dyndns.org: KDC reply did not match expectations
févr. 11 10:55:01 leo.lan realmd[19020]: adcli: couldn't connect to stephdl.dyndns.org domain: Couldn't get kerberos ticket for: Administrator@stephdl.dyndns.org: KDC reply did not match expectations
févr. 11 10:55:01 leo.lan realmd[19020]: ! Failed to join the domain
I missed probably something too easy, my laptop runs fedora25, I have just tried with other VM and samba AD
stephdl
(Stéphane de Labrusse)
February 11, 2017, 10:07am
13
got it, thank for your help. I started to write some documentation some time ago, and the answer was http://wiki.nethserver.org/doku.php?id=howto:useful_commands#join_the_domain
[root@leo lsd]# realm join -U administrator stephdl.dyndns.org
Password for administrator:
[root@leo lsd]# realm list
stephdl.dyndns.org
type: kerberos
realm-name: STEPHDL.DYNDNS.ORG
domain-name: stephdl.dyndns.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@stephdl.dyndns.org
login-policy: allow-realm-logins
Please @everybody , write your knowledge to the wiki
3 Likes
giacomo
(Giacomo Sanchietti)
February 11, 2017, 5:37pm
14
Thank you for sharing the knowledge, it will be easier for me when I will try the procedure
1 Like
Many thanks it was usefull to me.
Regards.
3 Likes