I have used adcli tool to add the rhel6 to AD but failed with ! Couldn't set service principals on computer account error. Below are the logs. [root@ADTESTRH6 ~]# adcli join -v -S server.test.com -U user * Sending netlogon pings to domain controller: cldap://10.10.10.10 * Received NetLogon info from: server.test.com * Discovered domain name: wipro.com * Calculated computer account name from fqdn: ADTESTRH6 * Calculated domain realm from name: TEST.COM * Wrote out krb5.conf snippet to /tmp/adcli-krb5-EkYR7x/krb5.d/adcli-krb5-conf-ihgEaF Password for [email protected]: * Authenticated as user: [email protected] * Looked up short domain name: TEST * Using fully qualified name: ADTESTRH6 * Using domain name: test.com * Using computer account name: ADTESTRH6 * Using domain realm: test.com * Calculated computer account name from fqdn: ADTESTRH6 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for ADTESTRH6$ does not exist * Found well known computer container at: OU=Test Computers,DC=test,DC=com * Calculated computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com * Created computer account: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com * Set computer password * Retrieved kvno '2' for computer account in directory: CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com * Modifying computer account: dNSHostName * Modifying computer account: userAccountControl * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack * Modifying computer account: userPrincipalName ! Couldn't set service principals on computer account CN=ADTESTRH6,OU=Test Computers,DC=test,DC=com: 00002083: AtrErr: DSID-03151785, #1: 0: 00002083: DSID-03151785, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName)
* Cleared old entries from keytab: FILE:/etc/krb5.keytab * Discovered which keytab salt to use * Added the entries to the keytab: [email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab So mentioned the SPN in command itself. #adcli join -v -S server.test.com --host-fqdn=adtestrh6.test.com --user-principal=host/[email protected] -U user and server joined to domain as per below log. [root@ADTESTRH6 ~]# adcli join -v -S server.test.com --host-fqdn=adtestrh6.test.com -U user * Using fully qualified name: adtestrh6.test.com * Sending netlogon pings to domain controller: cldap://10.10.10.10 * Received NetLogon info from: server.test.com * Discovered domain name: TEST.com * Calculated computer account name from fqdn: ADTESTRH6 * Calculated domain realm from name: TEST.COM * Wrote out krb5.conf snippet to /tmp/adcli-krb5-Zu1kcU/krb5.d/adcli-krb5-conf-fJ0qtq Password for [email protected]: * Authenticated as user: [email protected] * Looked up short domain name: TEST * Using fully qualified name: adtestrh6.TEST.com * Using domain name: test.com * Using computer account name: ADTESTRH6 * Using domain realm: test.com * Calculated computer account name from fqdn: ADTESTRH6 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for ADTESTRH6$ at: CN=ADTESTRH6,OU=TEST Computers,DC=test,DC=com * Set computer password * Retrieved kvno '3' for computer account in directory: CN=ADTESTRH6,OU=TEST Computers,DC=test,DC=com * Modifying computer account: dNSHostName * Modifying computer account: userAccountControl * Modifying computer account: operatingSystemVersion, operatingSystemServicePack * Modifying computer account: userPrincipalName * Discovered which keytab salt to use * Added the entries to the keytab: [email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Cleared old entries from keytab: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/[email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/[email protected]: FILE:/etc/krb5.keytab But still not able to login as user. Restarted sssd etc. PAM files [root@ADTESTRH6 pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [root@ADTESTRH6 pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [root@ADTESTRH6 pam.d]# Strangely there is no sss logs which is useful. Regards Pavan _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
