Trouble Joining an Active Directory Domain
Solution 1
The problem seems to have been that my admin had created an entry on the Domain Controller for this server. This apparently caused a conflict that caused Kerberos to encounter the following error when trying to join:
kyle@Server21:~$ sudo net ads join -k
Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.
I'm not sure that this error was entirely accurate since my admin said the server was joined to the domain on his end and realmd
indicated that I was joined as well:
kyle@Server21:~$ realm join COMPANYNAME.LOCAL
realm: Already joined to this domain
The steps I followed to get a successful Kerberos join were as follows:
- Admin removed the entry in the Domain Controller
- Reran Kerberos configuration using:
sudo dpkg-reconfigure krb5-config
- Chose the options in the configuration to add the Domain Controller explicitly to the
[realms]
section ofkrb5.conf
- Changed the hostname to ensure a new record was created
- Pulled a new ticket using
kinit
- Joined the domain using
sudo net ads join -k
Final result:
kyle@SERV21:~$ sudo net ads join -k
Using short domain name -- COMPANYNAME
Joined 'SERV21' to dns domain 'CompanyName.Local'
Solution 2
try this on Server21:
realm leave -v -U [your admin username] COMPANYNAME.LOCAL
then
realm join -v -U [your admin username] COMPANYNAME.LOCAL
Related videos on Youtube
embedded.kyle
Adept engineering polymath with 15+ years of experience. Specializing in all areas of Embedded Systems from circuit design and board bring-up to firmware development, OS optimization, and end-user application programming. Proficient in utilizing a wide variety of programs and languages. An enthusiastic teacher and ambitious learner.
Updated on September 18, 2022Comments
-
embedded.kyle over 1 year
I'm trying to join an Ubuntu 14.04 server to a Windows 2003 R2 domain. My admin says that from the controller side, it is part of the domain. But SSSD can't seem to start and DNS update fails.
I've been following a variety of guides to try and get this working but have been unsuccessful in completing any one of them without errors.
Ubuntu Server Guide
KiloRoot
NetNerds
Fedora SSSD GuideDiscovery seems to be working just fine:
kyle@Server21:~$ realm discover COMPANYNAME.LOCAL CompanyName.Local type: kerberos realm-name: COMPANYNAME.LOCAL domain-name: companyname.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins companyname.local type: kerberos realm-name: COMPANYNAME.LOCAL domain-name: companyname.local configured: no
realmd
says that I'm joined to the domain as well:kyle@Server21:~$ realm join COMPANYNAME.LOCAL realm: Already joined to this domain
Kerberos took my admin's authentication:
kyle@Server21:~$ kinit -V administrator Using default cache: /tmp/krb5cc_0 Using principal: [email protected] Password for [email protected]: Authenticated to Kerberos v5
But when it comes time to join, the DNS Update fails:
kyle@Server21:~$ sudo net ads join -k Using short domain name -- COMPANYNAME Joined 'SERVER21' to dns domain 'CompanyName.Local' No DNS domain configured for server21. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
And SSSD is still having an issue starting:
kyle@Server21:~$ systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2016-06-22 09:57:57 EDT; 37min ago Process: 16027 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=1/FAILURE) Jun 22 09:57:55 Server21 sssd[16038]: Starting up Jun 22 09:57:55 Server21 sssd[16041]: Starting up Jun 22 09:57:55 Server21 sssd[16042]: Starting up Jun 22 09:57:56 Server21 sssd[be[16043]: Starting up Jun 22 09:57:57 Server21 sssd[be[16043]: Failed to read keytab [default]: No such file or directory Jun 22 09:57:57 Server21 sssd[16031]: Exiting the SSSD. Could not restart critical service [COMPANYNAME.LOCAL]. Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Control process exited, code=exited status=1 Jun 22 09:57:57 Server21 systemd[1]: Failed to start System Security Services Daemon. Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Unit entered failed state. Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Failed with result 'exit-code'.
The only part of
krb5.conf
that is specific to me is the[libdefaults]
:kyle@Server21:~$ cat /etc/krb5.conf [libdefaults] default_realm = COMAPNYNAME.LOCAL
Though on a previous install I thought there was something else in
[realms]
but I can't remember what. The Fedora guide talks about adding something there when DNS lookups aren't working but doesn't go into enough detail for me to figure out exactly what is supposed to be there.My modifications to the
smb.conf
:[global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = COMPANYNAME client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = COMPANYNAME.LOCAL security = ads
My
sssd.conf
kyle@Server21:~$ sudo cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = COMPANYNAME.LOCAL [domain/COMPANYNAME.LOCAL] id_provider = ad access_provider = ad override_homedir = /home/%d/%u
And since the Ubuntu guide says that ownership and permissions are important:
kyle@Server21:~$ sudo ls -la /etc/sssd total 12 drwx--x--x 2 sssd sssd 4096 Jun 21 14:34 . drwxr-xr-x 103 root root 4096 Jun 22 10:21 .. -rw------- 1 root root 172 Jun 21 14:22 sssd.conf
The Ubuntu guide also mentions that the
hosts
file could cause issues with the DNS updating but I think I've followed their example correctly:kyle@Server21:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 Server21 192.168.XXX.XXX Server21 Server21.COMPANYNAME.LOCAL # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
So where am I going wrong here? The domain controller says it is part of the domain. I have Apache and OpenSSH both up and accessible. But there is a lot more this server is going to do and so I want to make sure everything is configured properly before moving forward.
Edit:
I changed my
hosts
file based on advice from this page so that it looks like this now:kyle@Server21:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 Server21.COMPANYNAME.LOCAL Server21 192.168.11.11 Server21.COMPANYNAME.LOCAL Server21 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Now
getent
returns:kyle@Server21:~$ sudo getent hosts Server21 127.0.1.1 Server21.COMPANYNAME.LOCAL Server21 Server21 192.168.11.11 Server21.COMPANYNAME.LOCAL Server21 Server21
And
net ads join
now has a different error message:kyle@Server21:~$ sudo net ads join -k Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.
So far the only advice I've found on this error says to make sure that the AD server is in
resolv.conf
and it's IP is the only entry.kyle@Server21:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.XXX.XXX
To answer a comment:
kyle@Server21:~$ nslookup -type=SRV _ldap._tcp.companyname.local Server: 192.168.XXX.XXX Address: 192.168.XXX.XXX#53 _ldap._tcp.companyname.local service = 0 100 389 companynamedc.companyname.local.
Somewhere along the way SSSD was able to start and is now active. Though I'm unsure of what I've done that fixed it.
-
Alex Stragies almost 8 yearsHave you checked for the correct response to
nslookup -type=SRV _ldap._tcp.companyname.local
? -
embedded.kyle almost 8 years@AlexStragies Yes, it returns the correct response.
-