On Wed, Feb 08, 2017 at 10:17:41PM -0000, sonia.gilbert(a)hawaiianair.com wrote:
Update: Made some progress. I reinstalled all the sssd and realm
packages, created a realmd.conf file and configured krb5.conf. It now creates the
computer account but then can not set the password for the computer account. Error:
Cannot contact any KDC for requested realm.
kinit domainadmin
[root@server01 etc]# realm join -v
abc.com
* Resolving:
_ldap._tcp.abc.com
* Performing LDAP DSE lookup on: x.x.161.252
* Performing LDAP DSE lookup on: x.x.161.251
* Successfully discovered:
abc.com
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd,
/usr/sbin/adcli
* LANG=C /usr/sbin/adcli join --verbose --domain
abc.com --domain-realm
abc.com
--domain-controller x.x.161.252 --computer-ou OU=Linux Servers,OU=Servers,DC=abc,DC=com
--login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-1RWWUY
* Using domain name:
abc.com
* Calculated computer account name from fqdn: server01
* Using domain realm:
abc.com
* Sending netlogon pings to domain controller: cldap://x.x.161.252
* Received NetLogon info from:
dc02.abc.com
* Wrote out krb5.conf snippet to
/var/cache/realmd/adcli-krb5-YXbCzH/krb5.d/adcli-krb5-conf-sHH9Wy
* Looked up short domain name: abcAir
* Using fully qualified name: server01
* Using domain name:
abc.com
* Using computer account name: server01
* Using domain realm:
abc.com
* Calculated computer account name from fqdn: server01
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Using fully qualified name: server01
* Using domain name:
abc.com
* Using computer account name: server01
* Using domain realm:
abc.com
* Looked up short domain name: Abc
* Computer account for server01$ does not exist
! Couldn't find a computer container in the ou, creating computer account directly
in: OU=Linux Servers,OU=Servers,DC=abc,DC=com
* Calculated computer account: CN=server01,OU=Linux Servers,OU=Servers,DC=abc,DC=com
* Created computer account: CN=server01,OU=Linux Servers,OU=Servers,DC=abc,DC=com
! Couldn't set password for computer account: server01$: Cannot contact any KDC for
requested realm
Is SSSD still running or are there still /var/lib/sss/pubconf/kdcinfo.*
files? If yes, please stop SSSD and/or remove the
/var/lib/sss/pubconf/kdcinfo.* files since they might contain old data
which might confuse adcli.
If this does not help you might want to add a file like
/etc/systemd/system/realmd.service.d/krb5_trace.conf:
[Service]
Environment=KRB5_TRACE=/dev/stdout
which should add some extra libkrb5 debug output to the logs.
HTH
bye,
Sumit
> adcli: joining domain
abc.com failed: Couldn't set password for computer account:
server01$: Cannot contact any KDC for requested realm
> ! Failed to join the domain
> realm: Couldn't join realm: Failed to join the domain
>
> realmd.conf
> [root@server01 sssd]# more /etc/realmd.conf
> [service]
> automatic-install = no
>
> [users]
> default-home = /home/%D/%U
> default-shell = /bin/bash
>
> [a.hawaiian.aero]
> computer-ou = OU=Linux Servers,OU=Servers,DC=abc,DC=com
> automatic-id-mapping = yes
> fully-qualified-names = no
>
>
> [root@PHXRASPCI01 log]# more /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> # forwardable = true
> rdns = false
> default_realm =
ABC.COM
> # default_ccache_name = KEYRING:persistent:%{uid}
> # kdc_timesync = 1
>
> [realms]
>
ABC.COM = {
> kdc =
dc01.abc.com
> kdc =
dc02.abc.com
> admin_server =
dc01.abc.com
> # default_domain =
ABC.COM
> }
>
> [domain_realm]
> # .example.com =
EXAMPLE.COM
> #
example.com =
EXAMPLE.COM
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org