[OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

Andre Kruger Andre.Kruger at TRW.COM
Thu Oct 9 08:51:46 UTC 2014


I recently tried to (re)join a OI machine to my companies AD. I had it joined previously but my AD integration broke when the AD admins turned on LDAPS. OI does not have the required libraries to join an AD environment that has LDAPS enabled.

You can troubleshoot this further if you issue the join command yourself and at the same time running it in debug mode:

net ads join -U username -d5

If the domain you are trying to join does have LDAPS enabled you should see this line, "StartTLS not supported by LDAP client libraries!", a few lines from the bottom when the join completes. Unless you have other errors that first need fixing. Eventually however once you have them all sorted out you will get this error.



-----Original Message-----
From: Andrew Martin [mailto:amartin at xes-inc.com] 
Sent: 08 October 2014 20:56
To: Discussion list for OpenIndiana
Subject: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

Hello,

I am attempting to join an OpenIndiana server to an Active Directory domain for authenticating smb/server following this guide:
http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html

However, I do not want to specify just a single domain controller in the kdc, admin_server, and kpasswd_server fields since that would be a single point of failure. I have a pair of forwarding servers that host a VIP (ad.example.com) and NAT traffic to any of the available DCs, so I'd prefer to put the hostname of this VIP in these fields instead:

[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = ad.example.com
       admin_server = ad.example.com
       kpasswd_server = ad.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

However, this doesn't work when I run "smbadm join":
Tree Connection SUCCEEDED (0)
Authentication SUCCEEDED (0) for Administrator at EXAMPLE.COM by dc0 Using ad.example.com (dc0) as DC for domain example.com (example) Tree Connection SUCCEEDED (0) Authentication SUCCEEDED (0) for Administrator at example.com by dc0 getting initial credentials (Incorrect net address) getting initial credentials (Incorrect net address) Joining domain to alter computer account FAILED (1) using Administrator at example.com credentials.
Failed to connect to an Active Directory server.
Joining domain failed (c0000001)

I think this "Incorrect net address" error is occurring because the address list provided to Kerberos contains the IP addresses of the OpenIndiana server, not the NAT server (ad.example.com). According to the manpage, I should be able to add no_addresses to the [appdefaults] section to request an address-less
ticket:


[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = ad.example.com
       admin_server = ad.example.com
       kpasswd_server = ad.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

[appdefaults]
        kinit = {
                renewable = true
                forwardable = true
                no_addresses = true
        }

However, doing this does not improve the situation when running "smbadm join".
This DOES work when running "kinit" manually. Changing the kdc, admin_server, and kpasswd_server to use one of the DCs directly, e.g dc0.example.com, makes "smbadm join" work successfully. What can I do to successfully join the domain using this NAT server for HA?

Thanks,

Andrew Martin

_______________________________________________
openindiana-discuss mailing list
openindiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss



More information about the openindiana-discuss mailing list