[Authentication] realmd on CentOS

Mon Feb 24 01:49:20 PST 2014

Well, that's handy to know, I'll have to read up on where I missed that
sssd does the machine password resets. I probably don't have that version
either, as I'm still on 1.9 in CentOS.

But, based on that, I decided to give adcli a try instead of msktutil.

adcli join --login-user=domain-admin --verbose --show-details
--os-name=CentOS --os-version=6.5
--domain-ou='OU=Blah,OU=Blah2,OU=Blah3,OU=Blah4,OU=Blah5,DC=local,DC=parent,DC=organization,DC=corp'

Values changed of course.

I run into a SASL problem though. I'm assuming I'd need a new version.
(seems to be the trend)

 ! Couldn't authenticate to active directory: SASL(-7): invalid parameter
supplied: Unable to find a callback: 32775

I can join it via msktutil after doing a kinit domain-admin, which implies
my krb5.conf and my ldap.conf are setup correctly (well, implies to me, if
you haven't used msktutil, then probably not so much).

Ignoring msktutil, ldapsearch works correctly.

ldapsearch -H ldaps://server.fqdn:636/ -Y GSSAPI -N -b
"dc=local,dc=parent,dc=organization,dc=corp"
"(&(objectClass=user)(sAMAccountName=domain-admin))"

Log:
 * Calculated domain name from host fqdn: local.parent.organization.corp
 * Calculated computer account name from fqdn: computername
 * Calculated domain realm from name: LOCAL.PARENT.ORGANIZATION.CORP
 * Discovering domain controllers: _ldap._tcp.local.parent.organization.corp
 * Sending cldap pings to domain controller:
dc3.local.parent.organization.corp
 * Sending cldap pings to domain controller:
dc2.local.parent.organization.corp
 * Sending cldap pings to domain controller:
dc1.local.parent.organization.corp
 * Received NetLogon info from: DC3.local.parent.organization.corp
 * Received NetLogon info from: DC2.local.parent.organization.corp
 * Wrote out krb5.conf snippet to
/tmp/adcli-krb5-7KxlKP/krb5.d/adcli-krb5-conf-x2C2NA
Password for domain-admin at LOCAL.PARENT.ORGANIZATION.CORP:
 * Authenticated as user: domain-admin at LOCAL.PARENT.ORGANIZATION.CORP
 ! Couldn't authenticate to active directory: SASL(-7): invalid parameter
supplied: Unable to find a callback: 32775
adcli: couldn't connect to local.parent.organization.corp domain: Couldn't
authenticate to active directory: SASL(-7): invalid parameter supplied:
Unable to find a callback: 32775

Interestingly as well, I believe I should have received 3 messages for
NetLogon info... or maybe the issue is a problem with my DC1.

Thanks for any help,
Chris

On Sun, Feb 23, 2014 at 10:43 PM, Stef Walter <stefw at gnome.org> wrote:

> On 24.02.2014 07:18, Chris Gray wrote:
> > Has anyone been able to get realmd to work in CentOS 6.5? (or any
> > version for that matter)
> >
> > Seems to require a newer glib2 and automake than CentOS ships with.
> >
> > The basic reason I'm asking is due to people in the SSSD mailing list
> > telling me I should stop using msktutil and use realmd... which of
> > course is easier said than done.
> >
> > I did notice while searching the list for other people asking the same
> > question, that you guys have an adcli program. I was able to install
> > that via epel. I could use that to do the joining instead of msktutil,
> > but then without realmd, how would the machine password be reset before
> > it expires? It seems that until I can either figure out all the
> > dependencies for realmd on centos, I'm stuck with msktutil.
>
> realmd doesn't help reset the machine password. sssd does that in recent
> versions.
>
> realmd is just a wrapper for things like adcli, 'net join',
> ipa-client-install and so on. It also sets up sssd.conf. But you can do
> anything it can do with just adcli and sssd, and manual configuration.
>
> Stef
>
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication
>

-- 
Intelligence is a matter of opinion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20140224/5b21139f/attachment.html>