Andreas Habel
2019-Jun-11  12:41 UTC
[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
Hi,
when trying to add a Linux host (CentOS7) that is supposed to act as a file
server to AD I get:
# net ads join -U administrator
Enter administrator's password:
kerberos_kinit_password administrator at IERLAB.UX.UIS.NO failed: Improper
format of Kerberos configuration file
Failed to join domain: failed to connect to AD: Improper format of Kerberos
configuration file
Here's my krb5.conf (it looks the same on the DC and client):
[libdefaults]
        default_realm = IERLAB.UX.UIS.NO
        dns_lookup_realm = false
        dns_lookup_kdc = true
Here's the output of a couple of Kerberos-related commands (executed on the
DC):
# host -t SRV _kerberos._udp.ierlab.ux.uis.no
_kerberos._udp.ierlab.ux.uis.no has SRV record 0 100 88 geo22.ierlab.ux.uis.no.
# kinit administrator
Password for administrator at IERLAB.UX.UIS.NO:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at IERLAB.UX.UIS.NO
Valid starting       Expires              Service principal
06/11/2019 14:00:34  06/12/2019 00:00:34  krbtgt/IERLAB.UX.UIS.NO at
IERLAB.UX.UIS.NO
        renew until 06/12/2019 14:00:30
>From other threads on this list I learned that there could be a kdc.conf
file; however, I can't find such a file on my DC.
So any help with the Kerberos configuration would be appreciated.
Andreas
--
Andreas Habel
Petroleum engineering lab
Geosciences | Unix network
Faculty of Science and Technology
University of Stavanger
Norway
Phone: +47-51 83 22 93
Rowland penny
2019-Jun-11  12:58 UTC
[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
On 11/06/2019 13:41, Andreas Habel via samba wrote:> Hi, > > when trying to add a Linux host (CentOS7) that is supposed to act as a file server to AD I get: > > # net ads join -U administrator > Enter administrator's password: > kerberos_kinit_password administrator at IERLAB.UX.UIS.NO failed: Improper format of Kerberos configuration file > Failed to join domain: failed to connect to AD: Improper format of Kerberos configuration file > > Here's my krb5.conf (it looks the same on the DC and client): > [libdefaults] > default_realm = IERLAB.UX.UIS.NO > dns_lookup_realm = false > dns_lookup_kdc = true >That looks okay, it take it that is /etc/krb5.conf ?> Here's the output of a couple of Kerberos-related commands (executed on the DC): > > # host -t SRV _kerberos._udp.ierlab.ux.uis.no > _kerberos._udp.ierlab.ux.uis.no has SRV record 0 100 88 geo22.ierlab.ux.uis.no. > > # kinit administrator > Password for administrator at IERLAB.UX.UIS.NO: > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at IERLAB.UX.UIS.NO > > Valid starting Expires Service principal > 06/11/2019 14:00:34 06/12/2019 00:00:34 krbtgt/IERLAB.UX.UIS.NO at IERLAB.UX.UIS.NO > renew until 06/12/2019 14:00:30 > > > From other threads on this list I learned that there could be a kdc.conf file; however, I can't find such a file on my DC.No, you shouldn't? have that file.> > So any help with the Kerberos configuration would be appreciated. > > Andreas > >Lets start with you posting the smb.conf file from the machine that will not join. Rowland
Andreas Habel
2019-Jun-11  13:05 UTC
[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
> -----Original Message----- > From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland penny via > samba > Sent: 11. juni 2019 14:59 > To: samba at lists.samba.org > Subject: Re: [Samba] Can't join Linux host to AD - "Improper format of > Kerberos configuration file" > > On 11/06/2019 13:41, Andreas Habel via samba wrote: > > Hi, > > > > when trying to add a Linux host (CentOS7) that is supposed to act as a > file server to AD I get: > > > > # net ads join -U administrator > > Enter administrator's password: > > kerberos_kinit_password administrator at IERLAB.UX.UIS.NO failed: Improper > format of Kerberos configuration file > > Failed to join domain: failed to connect to AD: Improper format of > Kerberos configuration file > > > > Here's my krb5.conf (it looks the same on the DC and client): > > [libdefaults] > > default_realm = IERLAB.UX.UIS.NO > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > That looks okay, it take it that is /etc/krb5.conf ?Yes!> > > Here's the output of a couple of Kerberos-related commands (executed on > the DC): > > > > # host -t SRV _kerberos._udp.ierlab.ux.uis.no > > _kerberos._udp.ierlab.ux.uis.no has SRV record 0 100 88 > geo22.ierlab.ux.uis.no. > > > > # kinit administrator > > Password for administrator at IERLAB.UX.UIS.NO: > > # klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: administrator at IERLAB.UX.UIS.NO > > > > Valid starting Expires Service principal > > 06/11/2019 14:00:34 06/12/2019 00:00:34 > krbtgt/IERLAB.UX.UIS.NO at IERLAB.UX.UIS.NO > > renew until 06/12/2019 14:00:30 > > > > > > From other threads on this list I learned that there could be a > kdc.conf file; however, I can't find such a file on my DC. > No, you shouldn't? have that file. > > > > So any help with the Kerberos configuration would be appreciated. > > > > Andreas > > > > > Lets start with you posting the smb.conf file from the machine that will > not join.smb.conf: [global] security = ADS workgroup = IERLAB realm = IERLAB.UX.UIS.NO log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the IERLAB domain idmap config IERLAB:backend = ad idmap config IERLAB:schema_mode = rfc2307 idmap config IERLAB:range = 10000-999999 idmap config IERLAB:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U Andreas
Maybe Matching Threads
- Can't join Linux host to AD - "Improper format of Kerberos configuration file"
- Can't join Linux host to AD - "Improper format of Kerberos configuration file"
- Can't join Linux host to AD - "Improper format of Kerberos configuration file"
- NT_STATUS_ADDRESS_NOT_ASSOCIATED error msg on DC boot
- no DNS functionality on second subnet