Public bug reported: I want to integrate Ubuntu with the Active Directory server, I am using the `realm` to join but the Active Directory server is blocked port `368` and i use the option `--use-ldaps` to join Active Directory via LDAP SSL but I'm getting the issue: ``` thaitran@ubuntu20:~$ sudo realm join adserver.local -U Administrator@ADSERVER.LOCAL --use-ldaps -v --client-software=sssd * Resolving: _ldap._tcp.adserver.local * Resolving: adserver.local * Performing LDAP DSE lookup on: 192.168.79.250 * Successfully discovered: adserver.local Password for Administrator@ADSERVER.LOCAL: * Unconditionally checking packages * Resolving required packages * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local --domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250 --login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password * Using domain name: adserver.local * Calculated computer account name from fqdn: UBUNTU20 * Using domain realm: adserver.local * Sending NetLogon ping to domain controller: 192.168.79.250 ! Couldn't perform discovery search: Can't contact LDAP server * Using LDAPS to connect to 192.168.79.250 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET * Authenticated as user: Administrator@ADSERVER.LOCAL * Using GSSAPI for SASL bind ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) adcli: couldn't connect to adserver.local domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ! Insufficient permissions to join the domain realm: Couldn't join realm: Insufficient permissions to join the domain ```
`/etc/ldap/ldap.conf` ``` thaitran@ubuntu20:~$ cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=adserver,dc=local #wURI ldaps://adserver.local:636 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /home/thaitran/Desktop/win-ad2019-ldaps.pem TLS_REQCERT nerver ``` ** Affects: realmd (Ubuntu) Importance: Undecided Status: New ** Description changed: I want to integrate Ubuntu with the Active Directory server, I am using the `realm` to join but the Active Directory server is blocked port `368` and i use the option `--use-ldaps` to join Active Directory via LDAP SSL but I'm getting the issue: ``` thaitran@ubuntu20:~$ sudo realm join adserver.local -U Administrator@ADSERVER.LOCAL --use-ldaps -v --client-software=sssd - * Resolving: _ldap._tcp.adserver.local - * Resolving: adserver.local - * Performing LDAP DSE lookup on: 192.168.79.250 - * Successfully discovered: adserver.local + * Resolving: _ldap._tcp.adserver.local + * Resolving: adserver.local + * Performing LDAP DSE lookup on: 192.168.79.250 + * Successfully discovered: adserver.local Password for Administrator@ADSERVER.LOCAL: - * Unconditionally checking packages - * Resolving required packages - * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local --domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250 --login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password - * Using domain name: adserver.local - * Calculated computer account name from fqdn: UBUNTU20 - * Using domain realm: adserver.local - * Sending NetLogon ping to domain controller: 192.168.79.250 - ! Couldn't perform discovery search: Can't contact LDAP server - * Using LDAPS to connect to 192.168.79.250 - * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET - * Authenticated as user: Administrator@ADSERVER.LOCAL - * Using GSSAPI for SASL bind - ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) + * Unconditionally checking packages + * Resolving required packages + * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local --domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250 --login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password + * Using domain name: adserver.local + * Calculated computer account name from fqdn: UBUNTU20 + * Using domain realm: adserver.local + * Sending NetLogon ping to domain controller: 192.168.79.250 + ! Couldn't perform discovery search: Can't contact LDAP server + * Using LDAPS to connect to 192.168.79.250 + * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET + * Authenticated as user: Administrator@ADSERVER.LOCAL + * Using GSSAPI for SASL bind + ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) adcli: couldn't connect to adserver.local domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) - ! Insufficient permissions to join the domain - realm: Couldn't join realm: Insufficient permissions to join the domainthaitran@ubuntu20:~$ sudo realm join adserver.local -U Administrator@ADSERVER.LOCAL --use-ldaps -v --client-software=sssd - * Resolving: _ldap._tcp.adserver.local - * Resolving: adserver.local - * Performing LDAP DSE lookup on: 192.168.79.250 - * Successfully discovered: adserver.local - Password for Administrator@ADSERVER.LOCAL: - * Unconditionally checking packages - * Resolving required packages - * LANG=C /usr/sbin/adcli join --verbose --domain adserver.local --domain-realm ADSERVER.LOCAL --use-ldaps --domain-controller 192.168.79.250 --login-type user --login-user Administrator@ADSERVER.LOCAL --stdin-password - * Using domain name: adserver.local - * Calculated computer account name from fqdn: UBUNTU20 - * Using domain realm: adserver.local - * Sending NetLogon ping to domain controller: 192.168.79.250 - ! Couldn't perform discovery search: Can't contact LDAP server - * Using LDAPS to connect to 192.168.79.250 - * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hjjVZz/krb5.d/adcli-krb5-conf-2hmmET - * Authenticated as user: Administrator@ADSERVER.LOCAL - * Using GSSAPI for SASL bind - ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) - adcli: couldn't connect to adserver.local domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) - ! Insufficient permissions to join the domain + ! Insufficient permissions to join the domain realm: Couldn't join realm: Insufficient permissions to join the domain ``` `/etc/ldap/ldap.conf` ``` thaitran@ubuntu20:~$ cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=adserver,dc=local #wURI ldaps://adserver.local:636 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /home/thaitran/Desktop/win-ad2019-ldaps.pem TLS_REQCERT nerver ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1961865 Title: Cannot Join Active Directory from Ubuntu 2021.4 via Realm with option --use-ldaps To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/realmd/+bug/1961865/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs