[Samba] Can't join Linux host to AD - "Improper format of Kerberos configuration file"
andreas.habel at uis.no
Tue Jun 11 13:05:03 UTC 2019
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland penny via
> Sent: 11. juni 2019 14:59
> To: samba at lists.samba.org
> Subject: Re: [Samba] Can't join Linux host to AD - "Improper format of
> Kerberos configuration file"
> On 11/06/2019 13:41, Andreas Habel via samba wrote:
> > Hi,
> > when trying to add a Linux host (CentOS7) that is supposed to act as a
> file server to AD I get:
> > # net ads join -U administrator
> > Enter administrator's password:
> > kerberos_kinit_password administrator at IERLAB.UX.UIS.NO failed: Improper
> format of Kerberos configuration file
> > Failed to join domain: failed to connect to AD: Improper format of
> Kerberos configuration file
> > Here's my krb5.conf (it looks the same on the DC and client):
> > [libdefaults]
> > default_realm = IERLAB.UX.UIS.NO
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> That looks okay, it take it that is /etc/krb5.conf ?
> > Here's the output of a couple of Kerberos-related commands (executed on
> the DC):
> > # host -t SRV _kerberos._udp.ierlab.ux.uis.no
> > _kerberos._udp.ierlab.ux.uis.no has SRV record 0 100 88
> > # kinit administrator
> > Password for administrator at IERLAB.UX.UIS.NO:
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administrator at IERLAB.UX.UIS.NO
> > Valid starting Expires Service principal
> > 06/11/2019 14:00:34 06/12/2019 00:00:34
> krbtgt/IERLAB.UX.UIS.NO at IERLAB.UX.UIS.NO
> > renew until 06/12/2019 14:00:30
> > From other threads on this list I learned that there could be a
> kdc.conf file; however, I can't find such a file on my DC.
> No, you shouldn't have that file.
> > So any help with the Kerberos configuration would be appreciated.
> > Andreas
> Lets start with you posting the smb.conf file from the machine that will
> not join.
security = ADS
workgroup = IERLAB
realm = IERLAB.UX.UIS.NO
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the IERLAB domain
idmap config IERLAB:backend = ad
idmap config IERLAB:schema_mode = rfc2307
idmap config IERLAB:range = 10000-999999
idmap config IERLAB:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
More information about the samba