Bug 219300 - system-config-authentication fails to join AD domain, default Kerberos realm not set
Summary: system-config-authentication fails to join AD domain, default Kerberos realm ...
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig   
(Show other bugs)
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2006-12-12 15:06 UTC by Erik Forsberg
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: authconfig-5.3.13-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-12-13 20:02:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Erik Forsberg 2006-12-12 15:06:10 UTC
Description of problem:

Trying to use system-config-authentication to join an Active Directory domain,
the actual join fails since 'net ads join' tries to fetch a Kerberos ticket from
the wrong realm.

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. Run system-config-authentication and enable winbind. Press Configure winbind
and supply details about your AD and use ads as security model.
2. Press "join domain" and supply details about username and password.
3. Press OK.
Actual results:

ADS join fails. Stdout/stderr of system-config-authentication reports this:

[/usr/bin/net join -w GUEST -S adserver.example.com -U Administrator]
Administrator's password:<...>
[2006/12/12 15:57:43, 0] libsmb/cliconnect.c:cli_session_setup_spnego(776)
  Kinit failed: Cannot resolve network address for KDC in requested realm
Failed to join domain!
ADS join did not work, falling back to RPC...
Joined domain GUEST.

Expected results:

ADS join success.

Additional info:

The reason for the failed join is that /etc/krb5.conf is incorrectly written. A
section for the ADS realm is added, but the realm is not set as default_realm
under [libdefaults]. This causes 'net ads join' to try to get tickets from the
EXAMPLE.COM domain, which fails.

Comment 1 Tomas Mraz 2006-12-13 20:02:17 UTC
Fixed in devel. Workaround for FC6 is to set the realm in Kerberos settings
dialog. I'll release FC6 update later.

Note You need to log in before you can comment on or make changes to this bug.