Andreas Habel
2019-Jun-11 13:05 UTC
[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
> -----Original Message----- > From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland penny via > samba > Sent: 11. juni 2019 14:59 > To: samba at lists.samba.org > Subject: Re: [Samba] Can't join Linux host to AD - "Improper format of > Kerberos configuration file" > > On 11/06/2019 13:41, Andreas Habel via samba wrote: > > Hi, > > > > when trying to add a Linux host (CentOS7) that is supposed to act as a > file server to AD I get: > > > > # net ads join -U administrator > > Enter administrator's password: > > kerberos_kinit_password administrator at IERLAB.UX.UIS.NO failed: Improper > format of Kerberos configuration file > > Failed to join domain: failed to connect to AD: Improper format of > Kerberos configuration file > > > > Here's my krb5.conf (it looks the same on the DC and client): > > [libdefaults] > > default_realm = IERLAB.UX.UIS.NO > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > That looks okay, it take it that is /etc/krb5.conf ?Yes!> > > Here's the output of a couple of Kerberos-related commands (executed on > the DC): > > > > # host -t SRV _kerberos._udp.ierlab.ux.uis.no > > _kerberos._udp.ierlab.ux.uis.no has SRV record 0 100 88 > geo22.ierlab.ux.uis.no. > > > > # kinit administrator > > Password for administrator at IERLAB.UX.UIS.NO: > > # klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: administrator at IERLAB.UX.UIS.NO > > > > Valid starting Expires Service principal > > 06/11/2019 14:00:34 06/12/2019 00:00:34 > krbtgt/IERLAB.UX.UIS.NO at IERLAB.UX.UIS.NO > > renew until 06/12/2019 14:00:30 > > > > > > From other threads on this list I learned that there could be a > kdc.conf file; however, I can't find such a file on my DC. > No, you shouldn't? have that file. > > > > So any help with the Kerberos configuration would be appreciated. > > > > Andreas > > > > > Lets start with you posting the smb.conf file from the machine that will > not join.smb.conf: [global] security = ADS workgroup = IERLAB realm = IERLAB.UX.UIS.NO log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the IERLAB domain idmap config IERLAB:backend = ad idmap config IERLAB:schema_mode = rfc2307 idmap config IERLAB:range = 10000-999999 idmap config IERLAB:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U Andreas
Rowland penny
2019-Jun-11 17:48 UTC
[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
On 11/06/2019 14:05, Andreas Habel via samba wrote:> smb.conf: > > [global] > security = ADS > workgroup = IERLAB > realm = IERLAB.UX.UIS.NO > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the IERLAB domain > idmap config IERLAB:backend = ad > idmap config IERLAB:schema_mode = rfc2307 > idmap config IERLAB:range = 10000-999999 > idmap config IERLAB:unix_nss_info = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Template settings for login shell and home directory > template shell = /bin/bash > template homedir = /home/%U >Nothing wrong there either. All I can suggest is that you delete the contents of /etc/krb5.conf and retype them again, check that your dns domain is ierlab.ux.uis.no , check that the first nameserver in /etc/resolv.conf points to an AD DC, check that 'hostname -s', 'hostname -f' produces the expected results. Rowland
Andreas Habel
2019-Jun-12 07:22 UTC
[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
> > All I can suggest is that you delete the contents of /etc/krb5.conf and > retype them againyes -- that was it! There was a typo in krb5.conf on the client -- "default realm" instead of "default_realm". I took me days to figure that out... Andreas
Seemingly Similar Threads
- Can't join Linux host to AD - "Improper format of Kerberos configuration file"
- Can't join Linux host to AD - "Improper format of Kerberos configuration file"
- Can't join Linux host to AD - "Improper format of Kerberos configuration file"
- NT_STATUS_ADDRESS_NOT_ASSOCIATED error msg on DC boot
- no DNS functionality on second subnet