[OpenIndiana-discuss] AD integration

Thomas Schweikle tschweikle at gmail.com
Wed Jan 21 00:04:09 UTC 2015 

Hi!

I am trying to integrate an OpenIndiana 5.11 oi_151a9 into an AD
(Windows 2008) domain using kclient:

# kclient -T ms_ad

Starting client setup

---------------------------------------------------

Setting up /etc/krb5/krb5.conf.

Attempting to join 'CLIENT' to the 'DOMAIN' domain.

Password for Administrator at DOMAIN:
kinit(v5): Incorrect net address while getting initial credentials
Could not authenticate Administrator at DOMAIN.  Exiting.
---------------------------------------------------
Setup FAILED.

If trying kinit with Administrator:

# kinit Administrator
Password for Administrator at DOMAIN:
root at nc401-muc.domain:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN

Valid starting                Expires                Service principal
21.01.15 00:53:37  21.01.15 10:53:37  krbtgt/DOMAIN at DOMAIN
        renew until 28.01.15 00:53:37

So what is the difference here? If using kinit alone it works, while
kclient doesn't. Any idea what to do to make kclient work?

Here is /etc/krb5/krb5.conf:
[libdefaults]
        default_realm = DOMAIN
        krb4_get_tickets=no
        allow_weak_crypto=true
        dns_lookup_kdc = false
        dns_lookup_realm = false
        forwardable = true
        proxiable = true
        kdc_timesync = 1
        debug = false

[realms]
        DOMAIN = {
                acl_file = /var/lib/heimdal-kdc/kadmind.acl
                kdc = dc-master.domain
                admin_server = dc-master.domain
                kpasswd_server = dc-master.domain
                default_domain = domain
        }

[domain_realm]
        .domain = DOMAIN
        domain = DOMAIN

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
                period = 1d
                versions = 10
        }

[appdefaults]
        kinit = {
                proxyable = true
                renewable = true
                forwardable= true
        }

Name resolution is working in both directions:
# host nc405-muc
nc405-muc.domain has address 10.160.2.125
# host 10.160.2.125
125.2.160.10.in-addr.arpa domain name pointer nc405-muc.domain.

The domain controller is resolvable too:
# host dc-master
dc-master.domain has address 10.10.1.33

Hostname ist set:
# hostname
nc401-muc.domain

LDAP isn't configured jet, since it needs GSSAPI to allow access and
this needs kerberos working.
Any idea what I have to change to make it work?

PS: its an Univention UCS4.0 acting as AD -- if this helps anyone.

-- 
Thomas

More information about the openindiana-discuss mailing list