search

djjudas21 / puppet-winbind

Puppet module to add Linux machines to a Windows domain using Winbind
Apache License 2.0
2 stars 6 forks source link

Improve domain join command and create keytab #5

Open djjudas21 opened 7 years ago

djjudas21 commented 7 years ago

For completeness, DanF joins the domain with the following:

net ads join -U {{ ad_user }}%{{ ad_password }} createcomputer='{{ ad_ou }}' --no-dns-updates
net ads keytab create -U {{ ad_user }}%{{ ad_password }} no-dns-updates
djjudas21 commented 7 years ago

Also need to set these in smb.conf:

dedicated keytab file = /etc/krb5.keytab
kerberos method = dedicated keytab
djjudas21 commented 7 years ago

Doing this broke my ability to authenticate. I also tried kerberos method = secrets and keytab and this didn't work either. Looks like the generated keytab doesn't have any principals in it and /var/log/secure contains the following (redacted):

Jun 28 14:33:32 build-el7 unix_chkpwd[23270]: password check failed for user (username)
Jun 28 14:33:32 build-el7 sudo: pam_unix(sudo:auth): authentication failure; logname=username uid=56933 euid=0 tty=/dev/pts/0 ruser=username rhost=  user=username
Jun 28 14:33:32 build-el7 sudo: pam_krb5[23268]: TGT failed verification using keytab and key for 'host/buildel7898908.ads.bris.ac.uk@ADS.BRIS.AC.UK': Server not found in Kerberos database
Jun 28 14:33:32 build-el7 sudo: pam_krb5[23268]: authentication fails for 'username' (username@ADS.BRIS.AC.UK): Authentication failure (Success)