SSSD Realm Join

virtualbitz

Member
Nov 6, 2020
39
5
13
33
I used this procedure on a host I had built back in 2020 running 6.2 without issue. On My new host running 8.0.3 I'm getting the following error. I haven't been able to find much in the way of searching the web.

The DC it's authenticating against is Windows 2016 with a 2016 functional level.


Code:
root@host:~# realm join -v --user admin@DOMAIN.LOCAL DOMAIN.LOCAL
 * Resolving: _ldap._tcp.DOMAIN.LOCAL
 * Performing LDAP DSE lookup on: 192.168.2.31
 * Performing LDAP DSE lookup on: 192.168.2.32
 * Successfully discovered: DOMAIN.LOCAL
Password for admin@DOMAIN.LOCAL:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain DOMAIN.LOCAL --domain-realm DOMAIN.LOCAL --domain-controller 192.168.2.31 --login-type user --login-user admin@DOMAIN.LOCAL --stdin-password
 * Using domain name: DOMAIN.LOCAL
 * Calculated computer account name from fqdn: host
 * Using domain realm: DOMAIN.LOCAL
 * Sending NetLogon ping to domain controller: 192.168.2.31
 * Received NetLogon info from: DC.DOMAIN.LOCAL
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-xjaM94/krb5.d/adcli-krb5-conf-0KQV4k
 * Authenticated as user: admin@DOMAIN.LOCAL
 * Using GSS-SPNEGO for SASL bind
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to DOMAIN.LOCAL domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
root@host:~#
 
  • Like
Reactions: SandBox_Astronaut
Just moments later I managed to resolve this a post i found via page 3 of duckduckgo.

I had to add

Code:
rdns=false

to

Code:
[libdefaults]

in /etc/krb5.conf

I had an old rDNS mismatch with the hostname of the domain controller, so turning on this switch fixed it. Reverse DNS being configured correctly would likely have fixed it was well.
 
  • Like
Reactions: UdoB

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!