Error when joining kubuntu 20.04 to AD

Hello - first time poster here!

I have a NS7 server (7.7.1908). I was able to successfully join a Windows 10 box, but when I try and join a Kubuntu 20.04 laptop running Ubuntu studio it throws me an error. Here’s the verbose output, any thoughts?

realm join --verbose (domain)

• Resolving: _ldap._tcp.(domain)
• Performing LDAP DSE lookup on: (ip)
• Successfully discovered: (domain)
  Password for Administrator:
• Unconditionally checking packages
• Resolving required packages
• LANG=C /usr/sbin/adcli join --verbose --domain (domain) --domain-realm (domain) --domain-controller (ip) --login-type user --login-user Administrator --stdin-password
• Using domain name: (domain)
• Calculated computer account name from fqdn: (laptop)
• Using domain realm: (domain)
• Sending NetLogon ping to domain controller: (ip)
• Received NetLogon info from: nsdc-vmneth.(domain)
• Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-5sJGAL/krb5.d/adcli-krb5-conf-peKWpN
• Authenticated as user: Administrator@(domain)
  ! Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
  adcli: couldn’t connect to (domain) domain: Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
  ! Insufficient permissions to join the domain
  realm: Couldn’t join realm: Insufficient permissions to join the domain

@sngreco

Hello Jerimiah and welcome to the NethServer forum!

A few points to check:

• If possible, deactivate IPv6 on Kubuntu. NethServer 7x still uses IPv4 and not IPv6.
• Is your Administrator user in the Domain Admins group? Mine isn’t! I use admin for that…
• Putting in the IP of your AD under the WINS section of Kubuntu can help too. (Also add WINS to your DHCP server scope…)

-> I think it’s a permission issue with your administrator user. Try admin.

My 2 cents
Andy

Andy,

Thank you for taking the time to help me out!

I believe I deactivated IPv6, but I’m not sure how to verify. I set the following in /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv6.conf.lo.disable_ipv6 = 1

I verified that administrator is a domain admin account, and prior to this had also tried using a different domain admin which I used for joining my Win10 box. Neither seem to work. I even changed the password to ‘password’ to make sure I wasn’t flubbing that somehow.

In regards to the WINS server suggestion, would I set that to the main IP, or the one associated with AD? From your suggestion, I believe you were saying option 2 (the IP they made me create while initializing AD). I set that in the NS7 DHCP scope, but I’m not sure how to validate that it applied to Kubuntu, nor could I find anywhere to set it locally. Any help here would be greatly appreciated!

After making the changes and double checks above, I’m still unable to join, and I’m receiving the same errors.

On a side topic, do you know if there’s any way to manage DNS via the RSAT DNS tool on Windows? Active Directory seems to work fine, but for some reason the DNS mmc can’t connect to the server.

Thanks again!

Jeremiah

@sngreco

Hi Jeremiah

A simple ifconfig ought to show if IPv4 and/or IPv6 are active. Do that on the machine in question.

WINS = use the IP of the AD.

You can set your Kubuntu to static IP (use the same IP as it’s been using from DHCP, that way you won’t get IP conflicts…) with the correct Subnet mask & gateway. As DNS enter in the IP of NethServer and as WINS enter the IP of the AD.

The AD Domain Name does not contain any special characters?

Make sure you enter in the user in small caps (admin, not Admin!).
Windows doesn’t care here, but Linux does!

I don’t think RSAT DNS will work, but to be honest I don’t really know.
Since using NethServer, I use Nethserver as DHCP and DNS, and it’s never given me issues, but most of my clients use Windows, not Linux Desktops.

And my Linux Desktop works…

Andy

Hi andy

I installed ifconfig, and saw that indeed IPv6 was still on for some reason. I set the adapter to manual IPv4 and ignore IPv6. After that, IPv6 no longer showed in ifconfig. I’m still not sure where to set WINS at, perhaps you could help me locate that setting?

image513×567 42.1 KB

Jeremiah

Hi

In Linux, as in Windows, it may be under the advanced options…
It could also be that linux does not have a field for WINS, in that case enter that AD-IP as second DNS…

Andy

I tried some different capitalization and domain combinations with the other account that I used to join the Windows 10 box, and I received different errors. I tried the following 3:

name @DOMAIN.COM
name @domain.com
name

Here are the different errors I received:

name @DOMAIN.COM

• Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-ZqvLtZ/krb5.d/adcli-krb5-conf-a7sKNY
  ! Couldn’t authenticate as: name @DOMAIN.COM: Preauthentication failed
  adcli: couldn’t connect to domain. com domain: Couldn’t authenticate as: name @DOMAIN.COM: Preauthentication failed
  ! Failed to join the domain
  realm: Couldn’t join realm: Failed to join the domain

name @domain.com

• Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-YnftAM/krb5.d/adcli-krb5-conf-KBUBpL
  ! Couldn’t get kerberos ticket for: name @domain.com: KDC reply did not match expectations
  adcli: couldn’t connect to domain .com domain: Couldn’t get kerberos ticket for: name @domain.com: KDC reply did not match expectatio
  ! Failed to join the domain
  realm: Couldn’t join realm: Failed to join the domain

name

• Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-PnPc1X/krb5.d/adcli-krb5-conf-hcWKfY
• Authenticated as user: name @DOMAIN.COM
  ! Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provi
  adcli: couldn’t connect to domain .com domain: Couldn’t authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unsp
  ! Insufficient permissions to join the domain
  realm: Couldn’t join realm: Insufficient permissions to join the domain

Hi

The last try looks best, even for Windows, you should use just the short user name (admin is standard on NethServer, not administrator).

The last line implies that you do not have enough permissions, in other words, you’re not using the domain admin user “admin”…
You need to use this user to join the AD, not the user you may be using on kubuntu…

My 2 cents
Andy

Andy,

I did another test. I created a brand new user “test” with password “testtest”. I tried logging in without the domain at the end and got the “Authenticated as user: test@DOMAIN.COM”, but still the same Couldn’t connect to active directory: SASL etc. The account is added to domain admins, any other thoughts? BTW I also added the AD IP address to DNS, and the advanced config doesn’t contain WINS. I’m not sure that it’s an option at all in Kubuntu.

Jeremiah

Here is what I see when I hit advanced

image520×610 70.1 KB

Here’s an example (providing that an administrator/admin account is enabled and with password set):

Are there any other DNS records I should have in here?

image1217×408 23.5 KB

dnutan,

I tried the same command listed in his post, and got the same error. That led me to checking the LDAP config on the neth server. Does this look right to you? Should it have the ldapuri and host set to loopback?

“BindDN” : “”,
“LdapURI” : “ldap://127.0.0.1”,
“DiscoverDcType” : “dns”,
“StartTls” : “”,
“port” : 389,
“host” : “127.0.0.1”,
“isAD” : “”,
“isLdap” : “”,
“UserDN” : “dc=domain,dc=com”,
“GroupDN” : “dc=domain,dc=com”,
“BindPassword” : “”,
“BaseDN” : “dc=domain,dc=com”,
“LdapUriDn” : “ldap:///dc%3Ddomain%2Cdc%3Dcom”

The example output on the wiki shows FDQN
https://wiki.nethserver.org/doku.php?id=howto:useful_commands#samba_member_server_troubleshooting

No, you shouldn’t set anything to loopback, Nethserver AD runs in a container with separate IP so loopback can’t be correct.

This is my working config

{
   "BindDN" : "ldapservice@ad.domain.tld",
   "LdapURI" : "ldaps://nsdc-server.ad.domain.tld",
   "DiscoverDcType" : "ldapuri",
   "StartTls" : "",
   "port" : 636,
   "host" : "nsdc-server.ad.domain.tld",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "dc=ad,dc=domain,dc=tld",
   "GroupDN" : "dc=ad,dc=domain,dc=tld",
   "BindPassword" : "...",
   "BaseDN" : "dc=ad,dc=domain,dc=tld"",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Ddomain%2Cdc%3Dlocal"
}

Here are other howtos about joining ubuntu, maybe they help:

mrmarkuz,

Where is the ldap configuration / account-provider-test set? I don’t remember ever setting anything to loopback / 127.0.0.1. I went through the entire web configuration and don’t see that set anywhere.

You can change it in server manager but your settings seem completely mixed. 127.0.0.1 is usually used with OpenLDAP. For AD a FQDN like nsdc-... is used.

image1336×533 46.8 KB

Me Either I will post an updated tutorial, with detail, from this tutorial, I was able to join on 18.04, only the pam_mount.conf.xml is not working for instance and I would like to… But maybe with autofs I would be able to make a sort of roaming profiles…

You can install with zfs or skip that part (without zfs)