Hi,
After spending several hours, I do not succeed in joining my AD domain (as
part of the 802.1X radius setup).
I have done a minimal install of CentOS 7.
Packetfence install, and I can configure it.
However, adding an AD domain via the web interface does not work.
I connect to samba Version 4.2.10-Debian.
Several machines are joined tot his domain.
I can ping the AD pdc controller.
The web interface tells:
Error! An error occured while contacting the server. Please try again later.
The (I suppose generated) krb5.conf is:
***
[libdefaults]
default_realm = ad.mydomain.org
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ad.mydomain.org = {
kdc = pdc.ad. mydomain.org:88
admin_server = pdc.ad.mydomain.org:749
default_domain = ad.mydomain.org
}
***
I always use for the kerberos realm capitals but apparently, the generated
file does not.
It also not really possible to change it, since the file seems to be
regenerated after a new try.
/etc/samba/mydomain.conf:
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MYDOMAIN
realm = ad.mydomain.org
netbios name = pf
server string = pf
pid directory = /usr/local/pf/var/run/mydomain
lock directory = /var/cache/sambamydomain
private dir = /var/cache/sambamydomain
security = ADS
winbind use default domain = no
idmap uid = 600-20000
idmap gid = 600-20000
template shell = /bin/bash
winbind expand groups = 10
password server = pdc.ad.mydomain.org
domain master = no
local master = no
preferred master = no
inherit permissions = yes
admin users = @mydomain\"domain admins"
hide files = /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
veto files = /lost+found/
allow trusted domains = yes
# No printers on this host
show add printer wizard = no
disable spoolss = yes
load printers = no
printing = bsd
printcap name = /dev/null
# No usershares here
usershare max shares = 0
# By default no guests and invisible
browseable = no
guest ok = no
#interfaces = 169.254.0.1
#bind interfaces only = yes
# prevent winbind from periodically changing the password
machine password timeout = 0
# Prevent 'Failed to join domain: failed to lookup DC info for domain
'DOMAIN.DOMAIN' over rpc: Access denied' error when attempting a
domain join
# Command 'net ads join -d 5' outputs the following relevant lines
# cli_negprot: SMB signing is mandatory and the server doesn't support it.
# failed negprot: NT_STATUS_ACCESS_DENIED
client ipc signing = auto
Packetfence.log does not show any errors.
I also checked /chroots/gordijn/var/log/sambamydomain/log.winbindd:
[2016/06/23 16:27:51, 0] ../source3/winbindd/winbindd.c:1549(main)
winbindd version 4.2.10 started.
Copyright Andrew Tridgell and the Samba Team 1992-2014
[2016/06/23 16:27:51.393621, 0]
../source3/winbindd/winbindd_cache.c:3235(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2016/06/23 16:27:51.422884, 0]
../source3/winbindd/winbindd_util.c:736(init_domain_list)
Could not fetch our SID - did we join?
[2016/06/23 16:27:51.427524, 0]
../source3/winbindd/winbindd.c:1294(winbindd_register_handlers)
unable to initialize domain list
I also tried to join manually (this works) and then follow the instructions
in the manual for a clustered setup of AD.
At first, this works.
However, it does not survice a reboot.
I can not pinpoint exactly what happens but it seems that part uses the
chroot setup and another part not.
The result is that I can not AD based radius authentication.
Please some advice.
Best,
-- JG
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
