Re: [PacketFence-users] Cant Connect to AD - Failed to join domain: failed to connect to AD: Client not found in Kerberos database

[Matthew Knott via PacketFence-users]

Hi Fabrice


              Yep,   I'm doing the wbinfo -u  in /chroots/JBSAD/bin  which 
works.

Read through that Forum post (thanks for that) and tried using the FQDN, the 
UPN and just the plain username.

Same result.

The account I'm trying to use to Join the Server to the main is the same one 
that I tried on the Command line of the box, I.E.


[root@auqldrv00nac1ai logs]# ntlm_auth --username=mkxxxx.adm
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)

Which, as you can see,  also is successful.  I checked AD Suers and Computers 
and the Machine account Exists aswell :)
Really Weird :)

Matthew







Matthew Knott
IT Network & Security Administrator
E. matthew.kn...@jbssa.com.au<mailto:matthew.kn...@jbssa.com.au>

[JBS Australia]<http://www.jbssa.com.au/>
T.      07 3810 2269
M.      0477733185
F.      07 3816 0535




JBS Australia
1 Lock Way, Riverview QLD 4303
P.O. Box 139 Booval Qld 4304


jbssa.com.au<http://www.jbssa.com.au/>  .  
LinkedIn<https://www.linkedin.com/company/jbs-australia>

From: Fabrice Durand via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Thursday, 7 June 2018 12:02 AM
To: packetfence-users@lists.sourceforge.net
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Cant Connect to AD - Failed to join domain: 
failed to connect to AD: Client not found in Kerberos database


Hello Matthew,

are you doing wbinfo in the chroot ? (chroot /chroots/...)

Also (Error binding '80090308: LdapErr: DSID-0C0903D9, comment: 
AcceptSecurityContext error, data 52e, v2580) looks to be an error related to 
"Invalid credentials". 
https://social.technet.microsoft.com/Forums/ie/en-US/474abb8f-cfc6-4cac-af79-c3e80e80291f/ldap-authentication-error-ldap-error-code-49-80090308-ldaperr-dsid0c090334-comment?forum=winserverDS<https://urldefense.proofpoint.com/v2/url?u=https-3A__social.technet.microsoft.com_Forums_ie_en-2DUS_474abb8f-2Dcfc6-2D4cac-2Daf79-2Dc3e80e80291f_ldap-2Dauthentication-2Derror-2Dldap-2Derror-2Dcode-2D49-2D80090308-2Dldaperr-2Ddsid0c090334-2Dcomment-3Fforum-3DwinserverDS&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=jND2NwNEticSqRud7id7txJ-UyGwd4sgToCyYqd78CI&e=>

Regards

Fabrice



Le 2018-06-05 à 01:50, Matthew Knott via PacketFence-users a écrit :
Hi,

Hoping someone can help be with this Error.

When trying to Connect to a Windows 2008R2 Level Domain, I receive this Error 
in the Web GUI.

Failed to join domain: failed to connect to AD: Client not found in Kerberos 
database

And can see the Following in the Packetfence.log

Jun  5 05:32:48 auqldrv00nac1ai packetfence_httpd.aaa: httpd.aaa(13719) INFO: 
[mac:00:04:f2:86:1e:a6] Password validation failed for cisco: passwords don't 
match (pf::password::validate_password)
Jun  5 05:32:48 auqldrv00nac1ai packetfence_httpd.aaa: httpd.aaa(13719) ERROR: 
[mac:00:04:f2:86:1e:a6] Error binding '80090308: LdapErr: DSID-0C0903D9, 
comment: AcceptSecurityContext error, data 52e, v2580
Jun  5 05:32:48 auqldrv00nac1ai packetfence_httpd.aaa: httpd.aaa(13719) WARN: 
[mac:00:04:f2:86:1e:a6] [JBSAD] Unable to connect to ldap.jbssa.com.au 
(pf::Authentication::Source::LDAPSource::_connect)
Jun  5 05:32:48 auqldrv00nac1ai packetfence_httpd.aaa: httpd.aaa(13719) ERROR: 
[mac:00:04:f2:86:1e:a6] [JBSAD] Unable to connect to any LDAP server 
(pf::Authentication::Source::LDAPSource::_connect)
Jun  5 05:32:48 auqldrv00nac1ai packetfence_httpd.aaa: httpd.aaa(13719) ERROR: 
[mac:00:04:f2:86:1e:a6] unable to read password file 
'/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)

Looking in the log.winbind file in /chroots/JBXAD/var/log/sambaJBXAD I can see 
the Following

[2018/05/31 06:22:43.266435,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'winbindd' finished starting up and ready to serve connections
[2018/05/31 06:22:43.409235,  0] 
../source3/librpc/crypto/gse.c:214(gse_context_init)
  Failed to initialize kerberos context! (Included profile directory could not 
be read)
[2018/05/31 22:23:12.606100,  0] 
../source3/winbindd/winbindd.c:281(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=0)
[2018/05/31 22:23:12.607356,  0] 
../source3/winbindd/winbindd.c:281(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=1)

Wbinfo -u  returns a list of users

ntlm_auth --username=mkxxxx.adm
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)


Also Works.
NTP is in Sync

Yet I still can't perform 802.1x Auth nor can I Use AD as a Authentication 
Source.

Anyone have any Idea's????

Thanks
In advance

Matthew




Matthew Knott

IT Network & Security Administrator

E. matthew.kn...@jbssa.com.au<mailto:matthew.kn...@jbssa.com.au>



[JBS Australia]<http://www.jbssa.com.au/>



T.

07 3810 2269

M.

0477733185

F.

07 3816 0535








JBS Australia

1 Lock Way, Riverview QLD 4303

P.O. Box 139 Booval Qld 4304





jbssa.com.au<http://www.jbssa.com.au/>  .  
LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_jbs-2Daustralia&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=EojMqsDHQYR6-PMUU4XnpI5DZBhjbyYVMqjiAUMuqs8&e=>


________________________________

Important Notice:

The contents of this electronic message and any attachments are intended only 
for the addressee and may contain legally privileged or confidential 
information. They may be only used for the purposes for which they were 
supplied. If you are not the addressee, you are notified that any transmission, 
distribution, downloading, printing or photocopying of the contents of this 
message or attachments is strictly prohibited. Any privilege and/or 
confidentiality attached to this message and attachments is not waived, lost or 
destroyed by reason of mistaken delivery to you. If you have received this 
message in error you should notify the sender by return e-mail or telephone +61 
7 3810 2100, and destroy all copies of the message and any attachments.




------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most

engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot<https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=MjXenTeV3WQuNhhH7tJLD3Jof720mjGKt3xvCyGF_7c&e=>




_______________________________________________

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=IAStPWN4xVKZDm6jAn1Mj_6c192Zg3aP2m5tGM2AE0E&e=>



--

Fabrice Durand

fdur...@inverse.ca<mailto:fdur...@inverse.ca> ::  +1.514.447.4918 (x135) ::  
www.inverse.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=AHKSIponcTq49NMHj3Jh0wN_BfJHkrWDkoWLnLaY3p8&e=>

Inverse inc. :: Leaders behind SOGo 
(http://www.sogo.nu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=p4CKJRlanNMYL3rwhMX6u8uSv7ah3U5YmHd7VbW45CQ&e=>)
 and PacketFence 
(http://packetfence.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org&d=DwMD-g&c=jqwZe_OwGxSy4yeji7eFFqcsG878Cbd3UT_ajroT5ho&r=iKyh1_LIxSAp0ekUXDh5LZq2hvWIOLBx4lDTG_VdVHY&m=zgo8pwWfpN456rUhXlld0xyyCJWBePm775XbP7kaEKM&s=lIuMvnGN3bDpzL4APp-4s3Cxa1n5xg2CQqDTDYZVCug&e=>)

________________________________

Important Notice:

The contents of this electronic message and any attachments are intended only 
for the addressee and may contain legally privileged or confidential 
information. They may be only used for the purposes for which they were 
supplied. If you are not the addressee, you are notified that any transmission, 
distribution, downloading, printing or photocopying of the contents of this 
message or attachments is strictly prohibited. Any privilege and/or 
confidentiality attached to this message and attachments is not waived, lost or 
destroyed by reason of mistaken delivery to you. If you have received this 
message in error you should notify the sender by return e-mail or telephone +61 
7 3810 2100, and destroy all copies of the message and any attachments.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users