Red Hat Bugzilla – Bug 219300
system-config-authentication fails to join AD domain, default Kerberos realm not set
Last modified: 2007-11-30 17:11:51 EST
Description of problem:
Trying to use system-config-authentication to join an Active Directory domain,
the actual join fails since 'net ads join' tries to fetch a Kerberos ticket from
the wrong realm.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run system-config-authentication and enable winbind. Press Configure winbind
and supply details about your AD and use ads as security model.
2. Press "join domain" and supply details about username and password.
3. Press OK.
ADS join fails. Stdout/stderr of system-config-authentication reports this:
[/usr/bin/net join -w GUEST -S adserver.example.com -U Administrator]
[2006/12/12 15:57:43, 0] libsmb/cliconnect.c:cli_session_setup_spnego(776)
Kinit failed: Cannot resolve network address for KDC in requested realm
Failed to join domain!
ADS join did not work, falling back to RPC...
Joined domain GUEST.
ADS join success.
The reason for the failed join is that /etc/krb5.conf is incorrectly written. A
section for the ADS realm is added, but the realm is not set as default_realm
under [libdefaults]. This causes 'net ads join' to try to get tickets from the
EXAMPLE.COM domain, which fails.
Fixed in devel. Workaround for FC6 is to set the realm in Kerberos settings
dialog. I'll release FC6 update later.