[OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

Andrew Martin amartin at xes-inc.com
Wed Oct 8 18:55:42 UTC 2014


Hello,

I am attempting to join an OpenIndiana server to an Active Directory domain for
authenticating smb/server following this guide:
http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html

However, I do not want to specify just a single domain controller in the kdc,
admin_server, and kpasswd_server fields since that would be a single point of
failure. I have a pair of forwarding servers that host a VIP (ad.example.com)
and NAT traffic to any of the available DCs, so I'd prefer to put the hostname
of this VIP in these fields instead:

[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = ad.example.com
       admin_server = ad.example.com
       kpasswd_server = ad.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

However, this doesn't work when I run "smbadm join":
Tree Connection SUCCEEDED (0)
Authentication SUCCEEDED (0) for Administrator at EXAMPLE.COM by dc0
Using ad.example.com (dc0) as DC for domain example.com (example)
Tree Connection SUCCEEDED (0)
Authentication SUCCEEDED (0) for Administrator at example.com by dc0
getting initial credentials (Incorrect net address)
getting initial credentials (Incorrect net address)
Joining domain to alter computer account FAILED (1) using Administrator at example.com credentials.
Failed to connect to an Active Directory server.
Joining domain failed (c0000001)

I think this "Incorrect net address" error is occurring because the address
list provided to Kerberos contains the IP addresses of the OpenIndiana server,
not the NAT server (ad.example.com). According to the manpage, I should be able
to add no_addresses to the [appdefaults] section to request an address-less
ticket:


[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = ad.example.com
       admin_server = ad.example.com
       kpasswd_server = ad.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

[appdefaults]
        kinit = {
                renewable = true
                forwardable = true
                no_addresses = true
        }

However, doing this does not improve the situation when running "smbadm join".
This DOES work when running "kinit" manually. Changing the kdc, admin_server,
and kpasswd_server to use one of the DCs directly, e.g dc0.example.com, makes
"smbadm join" work successfully. What can I do to successfully join the domain
using this NAT server for HA?

Thanks,

Andrew Martin



More information about the openindiana-discuss mailing list