<div dir="ltr">AFAIK you don't need any of these options "<span style="font-size:12.8px;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">--login-type user --login-user Administrator --stdin-password"</span> if you have a valid Kerberos ticket (check with klist)<div><br></div><div>The purpose with Kerberos is that you don't need to specify user or password.</div><div><br></div><div>Regards,</div><div>Niklas</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 20, 2018 at 4:40 PM, Simon May <span dir="ltr"><<a href="mailto:simon.may@uni-muenster.de" target="_blank">simon.may@uni-muenster.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello everyone,<br>
<br>
I hope this is the right place to ask questions like this. I’m trying to<br>
set up an Ubuntu 18.04 machine and join it to an Active Directory<br>
domain. On all other systems I’ve used, I could do<br>
<br>
# kinit -kt /path/to/keytab my_username<br>
# realm join <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a><br>
<br>
However, with Ubuntu 18.04, it seems that the realm command doesn’t see<br>
the Kerberos ticket:<br>
<br>
# kinit -kt /path/to/keytab my_username<br>
# realm join --verbose <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a><br>
* Resolving: _ldap._<a href="http://tcp.ad.example.com" rel="noreferrer" target="_blank">tcp.ad.example.com</a><br>
* Performing LDAP DSE lookup on: 10.A.B.150<br>
* Performing LDAP DSE lookup on: 10.C.D.131<br>
* Successfully discovered: <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a><br>
Password for Administrator:<br>
* Unconditionally checking packages<br>
* Resolving required packages<br>
* LANG=C /usr/sbin/adcli join --verbose --domain <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a><br>
--domain-realm <a href="http://AD.EXAMPLE.COM" rel="noreferrer" target="_blank">AD.EXAMPLE.COM</a> --domain-controller 10.A.B.150<br>
--login-type user --login-user Administrator --stdin-password<br>
* Using domain name: <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a><br>
* Calculated computer account name from fqdn: PCTEST<br>
* Using domain realm: <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a><br>
* Sending netlogon pings to domain controller: cldap://10.A.B.150<br>
* Received NetLogon info from: <a href="http://ADS2.ad.example.com" rel="noreferrer" target="_blank">ADS2.ad.example.com</a><br>
* Wrote out krb5.conf snippet to<br>
/var/cache/realmd/adcli-krb5-<wbr>liolnd/krb5.d/adcli-krb5-conf-<wbr>032njz<br>
! Couldn't authenticate as: <a href="mailto:Administrator@AD.EXAMPLE.COM">Administrator@AD.EXAMPLE.COM</a>:<br>
Preauthentication failed<br>
adcli: couldn't connect to <a href="http://ad.example.com" rel="noreferrer" target="_blank">ad.example.com</a> domain: Couldn't<br>
authenticate as: <a href="mailto:Administrator@AD.EXAMPLE.COM">Administrator@AD.EXAMPLE.COM</a>: Preauthentication failed<br>
! Failed to join the domain<br>
<br>
What could be happening here?<br>
<br>
(I previously asked this question on <a href="http://superuser.com" rel="noreferrer" target="_blank">superuser.com</a><br>
<<a href="https://superuser.com/q/1338100" rel="noreferrer" target="_blank">https://superuser.com/q/<wbr>1338100</a>>, but unfortunately didn’t get any<br>
reaction.)<br>
<br>
<br>
Best wishes,<br>
Simon<br>
<br>
<br>______________________________<wbr>_________________<br>
Authentication mailing list<br>
<a href="mailto:Authentication@lists.freedesktop.org">Authentication@lists.<wbr>freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/authentication" rel="noreferrer" target="_blank">https://lists.freedesktop.org/<wbr>mailman/listinfo/<wbr>authentication</a><br>
<br></blockquote></div><br></div>