Error while configuring SSSD on SLES 12 to connect with AD

Hi,

I am working on configuring sssd on SLES 12 SP2 to connect with AD using the following doc

https://www.suse.com/support/kb/doc/?id=7022002

We have modified krb5.conf , smb.conf and /etc/hosts as mentioned in the doc… however we are getting the following error when we try to join the domain

net ads join -k

IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

I have tried various combinations of lower /upper case realm / server names etc but keep getting the same error. Please see below the config

Would really appreciate any help in resolving this issue

Configure /etc/krb5.conf

[libdefaults]

    default_realm = cpggpc.ca
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false

cpggpc.ca = {
kdc = ip-w-00260-g5e.cpggpc.ca
master_kdc = ip-w-00261-g5e.cpggpc.ca
admin_server = ip-w-00261-g5e.cpggpc.ca
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.ad.domain.com = cpggpc.ca
ad.domain.com = cpggpc.ca

configure /etc/samba/smb.conf

Configure /etc/samba/smb.conf

[global]
workgroup = cpggpc.ca
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = cpggpc.ca
security = ADS
template homedir = /home/%u
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes

• Configure /etc/hosts

10.237.90.16 ip-w-00260-g5e ip-w-00260-g5e.cpggpc.ca

• Join the SLES 12 Server to the AD domain

kinit Administrator

net ads join -k

error when relam = cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

error when realm = ip-w-00260-g5e.cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to find DC for domain CPGGPC.CA

[QUOTE=zubairom;58489]Hi,

I am working on configuring sssd on SLES 12 SP2 to connect with AD using the following doc

https://www.suse.com/support/kb/doc/?id=7022002

We have modified krb5.conf , smb.conf and /etc/hosts as mentioned in the doc… however we are getting the following error when we try to join the domain

net ads join -k

IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

I have tried various combinations of lower /upper case realm / server names etc but keep getting the same error. Please see below the config

Would really appreciate any help in resolving this issue

Configure /etc/krb5.conf

[libdefaults]

    default_realm = cpggpc.ca
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false

cpggpc.ca = {
kdc = ip-w-00260-g5e.cpggpc.ca
master_kdc = ip-w-00261-g5e.cpggpc.ca
admin_server = ip-w-00261-g5e.cpggpc.ca
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.ad.domain.com = cpggpc.ca
ad.domain.com = cpggpc.ca

configure /etc/samba/smb.conf

Configure /etc/samba/smb.conf

[global]
workgroup = cpggpc.ca
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = cpggpc.ca
security = ADS
template homedir = /home/%u
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes

• Configure /etc/hosts

10.237.90.16 ip-w-00260-g5e ip-w-00260-g5e.cpggpc.ca

• Join the SLES 12 Server to the AD domain

kinit Administrator

net ads join -k

error when relam = cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

error when realm = ip-w-00260-g5e.cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to find DC for domain CPGGPC.CA[/QUOTE]

I would recommend you to forget manual setup unless you really have to.
My colleagues tried to manually setup AD authentication and we ended in using yast. I’m not a big fan of yast, as I don’t see what’s going on (had to use AIDE), but for this task I would recommend that approach.
Check the SLES 12 Security guide and especially the 4.2 section.

I have personally used yast’s ‘User Logon Management’ module and it works flawlessly.

zubairom,
I’ve submitted corrections to that kb doc but they haven’t updated it. It looks like you’re trying to do winbind, which is OK, but I prefer the SSSD . Perhaps I can help with the join issue. YaST does a well enough job of it, but makes some configuration assumptions I prefer to avoid so I usually just use samba utils to perform the join manually.

First I would correct the case issues in the following configuration files:

/etc/krb5.conf:

[libdefaults]

default_realm = CPGGPC.CA
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false

cpggpc.ca = {
kdc = ip-w-00260-g5e.cpggpc.ca
master_kdc = ip-w-00261-g5e.cpggpc.ca
admin_server = ip-w-00261-g5e.cpggpc.ca
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICEAEMON

[domain_realm]
.ad.domain.com = CPGGPC.CA
ad.domain.com = CPGGPC.CA

/etc/samba/smb.conf

[global]
workgroup = CPGGPC
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = CPGGPC.CA
security = ADS
template homedir = /home/%u
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes

Let us know if this helps,

– lawrence

zubairom,
Also, review the SUSE blog entry I published to get updated info out there for SUSE: the-sssd-active-directory-and-sles-12-and-15

– lawrence