Error while configuring SSSD on SLES 12 to connect with AD

zubairom · September 23, 2019, 3:48pm

Hi,

I am working on configuring sssd on SLES 12 SP2 to connect with AD using the following doc

https://www.suse.com/support/kb/doc/?id=7022002

We have modified krb5.conf , smb.conf and /etc/hosts as mentioned in the doc… however we are getting the following error when we try to join the domain

net ads join -k

IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

I have tried various combinations of lower /upper case realm / server names etc but keep getting the same error. Please see below the config

Would really appreciate any help in resolving this issue

Configure /etc/krb5.conf

[libdefaults]

    default_realm = cpggpc.ca
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false

cpggpc.ca = {
kdc = ip-w-00260-g5e.cpggpc.ca
master_kdc = ip-w-00261-g5e.cpggpc.ca
admin_server = ip-w-00261-g5e.cpggpc.ca
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.ad.domain.com = cpggpc.ca
ad.domain.com = cpggpc.ca

configure /etc/samba/smb.conf

Configure /etc/samba/smb.conf

[global]
workgroup = cpggpc.ca
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = cpggpc.ca
security = ADS
template homedir = /home/%u
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes

Configure /etc/hosts

10.237.90.16 ip-w-00260-g5e ip-w-00260-g5e.cpggpc.ca

Join the SLES 12 Server to the AD domain

kinit Administrator

net ads join -k

error when relam = cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

error when realm = ip-w-00260-g5e.cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to find DC for domain CPGGPC.CA

strahil-nikolov-dxc · September 23, 2019, 4:57pm

[QUOTE=zubairom;58489]Hi,

I am working on configuring sssd on SLES 12 SP2 to connect with AD using the following doc

https://www.suse.com/support/kb/doc/?id=7022002

We have modified krb5.conf , smb.conf and /etc/hosts as mentioned in the doc… however we are getting the following error when we try to join the domain

net ads join -k

IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

I have tried various combinations of lower /upper case realm / server names etc but keep getting the same error. Please see below the config

Would really appreciate any help in resolving this issue

Configure /etc/krb5.conf

[libdefaults]

    default_realm = cpggpc.ca
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false

cpggpc.ca = {
kdc = ip-w-00260-g5e.cpggpc.ca
master_kdc = ip-w-00261-g5e.cpggpc.ca
admin_server = ip-w-00261-g5e.cpggpc.ca
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.ad.domain.com = cpggpc.ca
ad.domain.com = cpggpc.ca

configure /etc/samba/smb.conf

Configure /etc/samba/smb.conf

[global]
workgroup = cpggpc.ca
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = cpggpc.ca
security = ADS
template homedir = /home/%u
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes

Configure /etc/hosts

10.237.90.16 ip-w-00260-g5e ip-w-00260-g5e.cpggpc.ca

Join the SLES 12 Server to the AD domain

kinit Administrator

net ads join -k

error when relam = cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to lookup DC info for domain ‘CPGGPC.CA’ over rpc: Memory allocation error

error when realm = ip-w-00260-g5e.cpggpc.ca (in smb.conf)
IP-TD-03837-J5C:/etc/init.d # net ads join -k
Failed to join domain: failed to find DC for domain CPGGPC.CA[/QUOTE]

I would recommend you to forget manual setup unless you really have to.
My colleagues tried to manually setup AD authentication and we ended in using yast. I’m not a big fan of yast, as I don’t see what’s going on (had to use AIDE), but for this task I would recommend that approach.
Check the SLES 12 Security guide and especially the 4.2 section.

I have personally used yast’s ‘User Logon Management’ module and it works flawlessly.

Lawrence1 · November 27, 2019, 1:30pm

zubairom,
I’ve submitted corrections to that kb doc but they haven’t updated it. It looks like you’re trying to do winbind, which is OK, but I prefer the SSSD . Perhaps I can help with the join issue. YaST does a well enough job of it, but makes some configuration assumptions I prefer to avoid so I usually just use samba utils to perform the join manually.

First I would correct the case issues in the following configuration files:

/etc/krb5.conf:

[libdefaults]

default_realm = CPGGPC.CA
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false

cpggpc.ca = {
kdc = ip-w-00260-g5e.cpggpc.ca
master_kdc = ip-w-00261-g5e.cpggpc.ca
admin_server = ip-w-00261-g5e.cpggpc.ca
}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICEAEMON

[domain_realm]
.ad.domain.com = CPGGPC.CA
ad.domain.com = CPGGPC.CA

/etc/samba/smb.conf

[global]
workgroup = CPGGPC
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = CPGGPC.CA
security = ADS
template homedir = /home/%u
template shell = /bin/bash
winbind refresh tickets = yes
winbind use default domain = yes
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes

Let us know if this helps,

– lawrence

Lawrence1 · November 27, 2019, 1:42pm

zubairom,
Also, review the SUSE blog entry I published to get updated info out there for SUSE: the-sssd-active-directory-and-sles-12-and-15

– lawrence

Topic		Replies	Views
SSSD Help! SLES Configure-Administer	3	252	November 9, 2015
SSSD AD enrollment fails SLES Configure-Administer	4	200	June 11, 2018
Failed to set machine kerberos encryption types: Insufficien SLES Configure-Administer	1	629	March 6, 2019
Samba with SSSD SLES Configure-Administer	4	330	April 26, 2018
SLES 12 AD Integration SLES Configure-Administer	1	227	October 17, 2018

Error while configuring SSSD on SLES 12 to connect with AD

Related topics