Public bug reported:
I want to integrate Ubuntu with the Active Directory server, I am using the
`realm` to join but the Active Directory server is blocked port `368` and i use
the option `--use-ldaps` to join Active Directory via LDAP SSL but I'm getting
the issue:
```
thaitran@ubuntu20:~$ sudo realm join adserver.local -U
Administrator@ADSERVER.LOCAL --use-ldaps -v --client-software=sssd
* Resolving: _ldap._tcp.adserver.local
* Resolving: adserver.local
* Performing LDAP DSE lookup on: 192.168.79.250
* Successfully discovered: adserver.local
Password for Administrator@ADSERVER.LOCAL:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain adserver.local --domain-realm
ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250 --login-type user
--login-user Administrator@ADSERVER.LOCAL --stdin-password
* Using domain name: adserver.local
* Calculated computer account name from fqdn: UBUNTU20
* Using domain realm: adserver.local
* Sending NetLogon ping to domain controller: 192.168.79.250
! Couldn't perform discovery search: Can't contact LDAP server
* Using LDAPS to connect to 192.168.79.250
* Wrote out krb5.conf snippet to
/var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET
* Authenticated as user: Administrator@ADSERVER.LOCAL
* Using GSSAPI for SASL bind
! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
adcli: couldn't connect to adserver.local domain: Couldn't authenticate to
active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in Kerberos
database)
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
```
`/etc/ldap/ldap.conf`
```
thaitran@ubuntu20:~$ cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=adserver,dc=local
#wURI ldaps://adserver.local:636
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /home/thaitran/Desktop/win-ad2019-ldaps.pem
TLS_REQCERT nerver
```
** Affects: realmd (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
I want to integrate Ubuntu with the Active Directory server, I am using the
`realm` to join but the Active Directory server is blocked port `368` and i use
the option `--use-ldaps` to join Active Directory via LDAP SSL but I'm getting
the issue:
```
thaitran@ubuntu20:~$ sudo realm join adserver.local -U
Administrator@ADSERVER.LOCAL --use-ldaps -v --client-software=sssd
- * Resolving: _ldap._tcp.adserver.local
- * Resolving: adserver.local
- * Performing LDAP DSE lookup on: 192.168.79.250
- * Successfully discovered: adserver.local
+ * Resolving: _ldap._tcp.adserver.local
+ * Resolving: adserver.local
+ * Performing LDAP DSE lookup on: 192.168.79.250
+ * Successfully discovered: adserver.local
Password for Administrator@ADSERVER.LOCAL:
- * Unconditionally checking packages
- * Resolving required packages
- * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local
--domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250
--login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password
- * Using domain name: adserver.local
- * Calculated computer account name from fqdn: UBUNTU20
- * Using domain realm: adserver.local
- * Sending NetLogon ping to domain controller: 192.168.79.250
- ! Couldn't perform discovery search: Can't contact LDAP server
- * Using LDAPS to connect to 192.168.79.250
- * Wrote out krb5.conf snippet to
/var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET
- * Authenticated as user: Administrator@ADSERVER.LOCAL
- * Using GSSAPI for SASL bind
- ! Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
+ * Unconditionally checking packages
+ * Resolving required packages
+ * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local
--domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250
--login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password
+ * Using domain name: adserver.local
+ * Calculated computer account name from fqdn: UBUNTU20
+ * Using domain realm: adserver.local
+ * Sending NetLogon ping to domain controller: 192.168.79.250
+ ! Couldn't perform discovery search: Can't contact LDAP server
+ * Using LDAPS to connect to 192.168.79.250
+ * Wrote out krb5.conf snippet to
/var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET
+ * Authenticated as user: Administrator@ADSERVER.LOCAL
+ * Using GSSAPI for SASL bind
+ ! Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
adcli: couldn't connect to adserver.local domain: Couldn't authenticate to
active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in Kerberos
database)
- ! Insufficient permissions to join the domain
- realm: Couldn't join realm: Insufficient permissions to join the
domainthaitran@ubuntu20:~$ sudo realm join adserver.local -U
Administrator@ADSERVER.LOCAL --use-ldaps -v --client-software=sssd
- * Resolving: _ldap._tcp.adserver.local
- * Resolving: adserver.local
- * Performing LDAP DSE lookup on: 192.168.79.250
- * Successfully discovered: adserver.local
- Password for Administrator@ADSERVER.LOCAL:
- * Unconditionally checking packages
- * Resolving required packages
- * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local
--domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250
--login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password
- * Using domain name: adserver.local
- * Calculated computer account name from fqdn: UBUNTU20
- * Using domain realm: adserver.local
- * Sending NetLogon ping to domain controller: 192.168.79.250
- ! Couldn't perform discovery search: Can't contact LDAP server
- * Using LDAPS to connect to 192.168.79.250
- * Wrote out krb5.conf snippet to
/var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET
- * Authenticated as user: Administrator@ADSERVER.LOCAL
- * Using GSSAPI for SASL bind
- ! Couldn't authenticate to active directory: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
- adcli: couldn't connect to adserver.local domain: Couldn't authenticate to
active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in Kerberos
database)
- ! Insufficient permissions to join the domain
+ ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
```
`/etc/ldap/ldap.conf`
```
thaitran@ubuntu20:~$ cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=adserver,dc=local
#wURI ldaps://adserver.local:636
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /home/thaitran/Desktop/win-ad2019-ldaps.pem
TLS_REQCERT nerver
```
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1961865
Title:
Cannot Join Active Directory from Ubuntu 2021.4 via Realm with option
--use-ldaps
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1961865/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
