[OpenIndiana-discuss] AD integration

Jim Klimov jimklimov at cos.ru
Thu Jan 22 00:03:05 UTC 2015 

On 21 January 2015 01:04:09 CET, Thomas Schweikle <tschweikle at gmail.com> wrote:
>Hi!
>
>I am trying to integrate an OpenIndiana 5.11 oi_151a9 into an AD
>(Windows 2008) domain using kclient:
>
># kclient -T ms_ad
>
>Starting client setup
>
>---------------------------------------------------
>
>Setting up /etc/krb5/krb5.conf.
>
>Attempting to join 'CLIENT' to the 'DOMAIN' domain.
>
>Password for Administrator at DOMAIN:
>kinit(v5): Incorrect net address while getting initial credentials
>Could not authenticate Administrator at DOMAIN.  Exiting.
>---------------------------------------------------
>Setup FAILED.
>
>If trying kinit with Administrator:
>
># kinit Administrator
>Password for Administrator at DOMAIN:
>root at nc401-muc.domain:~# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: Administrator at DOMAIN
>
>Valid starting                Expires                Service principal
>21.01.15 00:53:37  21.01.15 10:53:37  krbtgt/DOMAIN at DOMAIN
>        renew until 28.01.15 00:53:37
>
>So what is the difference here? If using kinit alone it works, while
>kclient doesn't. Any idea what to do to make kclient work?
>
>Here is /etc/krb5/krb5.conf:
>[libdefaults]
>        default_realm = DOMAIN
>        krb4_get_tickets=no
>        allow_weak_crypto=true
>        dns_lookup_kdc = false
>        dns_lookup_realm = false
>        forwardable = true
>        proxiable = true
>        kdc_timesync = 1
>        debug = false
>
>[realms]
>        DOMAIN = {
>                acl_file = /var/lib/heimdal-kdc/kadmind.acl
>                kdc = dc-master.domain
>                admin_server = dc-master.domain
>                kpasswd_server = dc-master.domain
>                default_domain = domain
>        }
>
>[domain_realm]
>        .domain = DOMAIN
>        domain = DOMAIN
>
>[logging]
>        default = FILE:/var/krb5/kdc.log
>        kdc = FILE:/var/krb5/kdc.log
>        kdc_rotate = {
>                period = 1d
>                versions = 10
>        }
>
>[appdefaults]
>        kinit = {
>                proxyable = true
>                renewable = true
>                forwardable= true
>        }
>
>Name resolution is working in both directions:
># host nc405-muc
>nc405-muc.domain has address 10.160.2.125
># host 10.160.2.125
>125.2.160.10.in-addr.arpa domain name pointer nc405-muc.domain.
>
>The domain controller is resolvable too:
># host dc-master
>dc-master.domain has address 10.10.1.33
>
>Hostname ist set:
># hostname
>nc401-muc.domain
>
>LDAP isn't configured jet, since it needs GSSAPI to allow access and
>this needs kerberos working.
>Any idea what I have to change to make it work?
>
>PS: its an Univention UCS4.0 acting as AD -- if this helps anyone.

OTOH, it looks inconsistent that you use textual hostnames and dns_resolution flags == false. Do you resolve via /etc/hosts or some other non-dns mechanism?

HTH,
Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

More information about the openindiana-discuss mailing list