I have used adcli tool to add the rhel6 to AD but failed with ! Couldn't set service
principals on computer account error. Below are the logs.
[root@ADTESTRH6 ~]# adcli join -v -S
server.test.com -U user
* Sending netlogon pings to domain controller: cldap://10.10.10.10
* Received NetLogon info from:
server.test.com
* Discovered domain name:
wipro.com
* Calculated computer account name from fqdn: ADTESTRH6
* Calculated domain realm from name:
TEST.COM
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-EkYR7x/krb5.d/adcli-krb5-conf-ihgEaF
Password for user(a)TEST.COM:
* Authenticated as user: user(a)TEST.COM
* Looked up short domain name: TEST
* Using fully qualified name: ADTESTRH6
* Using domain name:
test.com
* Using computer account name: ADTESTRH6
* Using domain realm:
test.com
* Calculated computer account name from fqdn: ADTESTRH6
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Computer account for ADTESTRH6$ does not exist
* Found well known computer container at: OU=Test Computers,DC=test,DC=com
* Calculated computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com
* Created computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com
* Set computer password
* Retrieved kvno '2' for computer account in directory: CN=ADTESTRH6,OU=Test
Computers,DC=test,DC=com
* Modifying computer account: dNSHostName
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystem, operatingSystemVersion,
operatingSystemServicePack
* Modifying computer account: userPrincipalName
! Couldn't set service principals on computer account CN=ADTESTRH6,OU=Test
Computers,DC=test,DC=com: 00002083: AtrErr: DSID-03151785, #1:
0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303
(servicePrincipalName)
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Discovered which keytab salt to use
* Added the entries to the keytab: ADTESTRH6$(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ADTESTRH6(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ADTESTRH6(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6(a)TEST.COM:
FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6(a)TEST.COM:
FILE:/etc/krb5.keytab
So mentioned the SPN in command itself.
#adcli join -v -S
server.test.com --host-fqdn=adtestrh6.test.com
--user-principal=host/adtestrh6.test.com(a)TEST.COM -U user
and server joined to domain as per below log.
[root@ADTESTRH6 ~]# adcli join -v -S
server.test.com --host-fqdn=adtestrh6.test.com -U
user
* Using fully qualified name:
adtestrh6.test.com
* Sending netlogon pings to domain controller: cldap://10.10.10.10
* Received NetLogon info from:
server.test.com
* Discovered domain name:
TEST.com
* Calculated computer account name from fqdn: ADTESTRH6
* Calculated domain realm from name:
TEST.COM
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-Zu1kcU/krb5.d/adcli-krb5-conf-fJ0qtq
Password for user(a)TEST.COM:
* Authenticated as user: user(a)TEST.COM
* Looked up short domain name: TEST
* Using fully qualified name:
adtestrh6.TEST.com
* Using domain name:
test.com
* Using computer account name: ADTESTRH6
* Using domain realm:
test.com
* Calculated computer account name from fqdn: ADTESTRH6
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for ADTESTRH6$ at: CN=ADTESTRH6,OU=TEST
Computers,DC=test,DC=com
* Set computer password
* Retrieved kvno '3' for computer account in directory: CN=ADTESTRH6,OU=TEST
Computers,DC=test,DC=com
* Modifying computer account: dNSHostName
* Modifying computer account: userAccountControl
* Modifying computer account: operatingSystemVersion, operatingSystemServicePack
* Modifying computer account: userPrincipalName
* Discovered which keytab salt to use
* Added the entries to the keytab: ADTESTRH6$(a)TEST.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/ADTESTRH6(a)TEST.COM: FILE:/etc/krb5.keytab
* Cleared old entries from keytab: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/adtestrh6.TEST.com(a)TEST.COM:
FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/ADTESTRH6(a)TEST.COM:
FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/adtestrh6.wipro.com(a)TEST.COM:
FILE:/etc/krb5.keytab
But still not able to login as user. Restarted sssd etc.
PAM files
[root@ADTESTRH6 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@ADTESTRH6 pam.d]# cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@ADTESTRH6 pam.d]#
Strangely there is no sss logs which is useful.
Regards
Pavan