Bug 219300 - system-config-authentication fails to join AD domain, default Kerberos realm not set
system-config-authentication fails to join AD domain, default Kerberos realm ...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-12 10:06 EST by Erik Forsberg
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: authconfig-5.3.13-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-13 15:02:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erik Forsberg 2006-12-12 10:06:10 EST
Description of problem:

Trying to use system-config-authentication to join an Active Directory domain,
the actual join fails since 'net ads join' tries to fetch a Kerberos ticket from
the wrong realm.


Version-Release number of selected component (if applicable):

samba-3.0.23c-2
samba-common-3.0.23c-2
authconfig-gtk-5.3.12-1.fc6



Steps to Reproduce:
1. Run system-config-authentication and enable winbind. Press Configure winbind
and supply details about your AD and use ads as security model.
2. Press "join domain" and supply details about username and password.
3. Press OK.
 
Actual results:

ADS join fails. Stdout/stderr of system-config-authentication reports this:

[/usr/bin/net join -w GUEST -S adserver.example.com -U Administrator]
Administrator's password:<...>
 
[2006/12/12 15:57:43, 0] libsmb/cliconnect.c:cli_session_setup_spnego(776)
  Kinit failed: Cannot resolve network address for KDC in requested realm
Failed to join domain!
ADS join did not work, falling back to RPC...
Joined domain GUEST.

Expected results:

ADS join success.

Additional info:

The reason for the failed join is that /etc/krb5.conf is incorrectly written. A
section for the ADS realm is added, but the realm is not set as default_realm
under [libdefaults]. This causes 'net ads join' to try to get tickets from the
EXAMPLE.COM domain, which fails.
Comment 1 Tomas Mraz 2006-12-13 15:02:17 EST
Fixed in devel. Workaround for FC6 is to set the realm in Kerberos settings
dialog. I'll release FC6 update later.

Note You need to log in before you can comment on or make changes to this bug.