Bdtyktl

After a fresh install and update && upgrade, I have followed this guide to add the machine to our AD infrastructure, but after basic configuration realm join -v [domain] returns

! Can't contact LDAP server

realm: No such realm found

So I fired up a CentOS minimal VM and was able to register the machine through that. Cross-referencing the two outputs, I noticed that on Ubuntu the same realm command is querying the wrong IP when looking up the LDAP server, but I did not find any info on how to change that parameter in config files or through man realm.

So I tried ldapsearch -h [server IP], manually specifying the server and this was returned:

ldap_sasl_interactive_bind_s: Local error (-2)

    additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))

which it should not be an issue since the same result is given by the CentOS VM, despite it joining successfully. So, I copied over from the CentOS machine the config files for krb5.conf, sssd.conf and realmd.conf (after a backup), but the same original error was given.

I believe that the wrong LDAP DSE lookup is the issue but I cannot find the parameter to change anywhere.

Thank you for all your help.

The AD server runs Windows Server 2016.
Providing .conf files below:

krb5.conf

[libdefaults]

    default_realm = MYDOMAIN.COM

    dns_lookup_realm = true

    dns_lookup_kdc = true

    forwardable = true

    rdns = false    



[realms]

    MYDOMAIN.COM = {

                kdc = server.mydomain.com

                admin_server = server.mydomain.com

                default_domain = mydomain.com

    }



[domain_realm]

    .mydomain.com = MYDOMAIN.COM

    mydomain.com = MYDOMAIN.COM

sssd.conf

[sssd]

services = nss, pam

domains = mydomain.com

config_file_version = 2





[domain/mydomain.com]

id_provider = ad

access_provider = ad

ad_domain = mydomain.com

krb5_realm = MYDOMAIN.COM

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%d/%u

realmd.conf

[users]

    default-home = /home/%D/%U

    default-shell = /bin/bash



[active-directory]

    default-client = sssd

    os-name = Ubuntu

    os-version = 18.04



[service]

    automatic-install = no



[mydomain.com]

    fully-qualified-names = yes

    automatic-id-mapping = no

    user-principal = yes

    manage-system = yes

Providing my own solution as a full guide.

DISCLAIMER: I collated different answers on this site and added my own bits. I am also assuming su privileges throughout the guide.

Join AD network with Ubuntu 18.04

0) Make sure that /etc/hosts and /etc/hostname files contain addresses and names according with your credentials provided by your domain admin. Also install the following packages:

apt install -y realmd sssd sssd-tools libnss-sss libpam-sss krb5-user adcli samba-common-bin

Note: When you install kerberos a prompt to insert your realm and domain names is given. Follow through, but leave empty if you do not know some bits.

1) Disable systemd-resolved

$ systemctl disable systemd-resolved.service

$ systemctl stop systemd-resolved

Note: this is the way I have found but it might be not ideal for you to disable systemd-resolved.

2) Add the following to /etc/NetworkManager/NetworkManager.conf in the [main] section:

dns=default

3) Remove the symlink /etc/resolv.conf. It will be recreated with the correct values.

4) Restart network service and add dnsmasq package:

$ service network-manager restart

$ apt install dnsmasq

5) In /etc/nsswitch.conf replace hosts line with this:

hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4

Note: If you have problems, try this line instead hosts: files dns myhostname.

6) Add the following to /etc/krb5.conf. It is case-sensitive, so watch out. Also remove everything else (backup the default first $ cp /etc/krb5.conf /etc/krb5.conf.bak). If a section is not there, add it yourself:

[libdefaults]

default_realm = YOUR.REALM.NAME

dns_lookup_realm = false

dns_lookup_kdc = false

default_ccache_name = KEYRING:persistent:%{uid}

rdns = false{code}



[realms]

YOUR.REALM.NAME = {

  kdc = your.realm.name

  admin_server = your.realm.name

}



[domain_realm]

your.realm.name = YOUR.REALM.NAME

.your.realm.name = YOUR.REALM.NAME

Note: forcing lookups off, greatly helps for debugging and generally I have found it really useful to see what is going on, contrary to basically all other guides on the topic. Also the reverse dns line rnds might be relevant only to my network setup, so try a value of true if some problem happens.

7) Check /etc/sssd/sssd.conf to include the following. Same guidelines and restrictions apply from point 6). Some values might be already set:

[sssd]

domains = your.realm.nbame



[domain/your.domain.name]

ad_domain = your.domain.name

krb5_realm = YOUR.DOMAIN.NAME

realmd_tags = manages-system joined-with-adcli 

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%u@%d

access_provider = ad

8) Reboot

9) Join your domain (needs admin credentials. You will be asked the admin password):

$ realm join -v --user=[admin_username] your.realm.name

Note: The -v tag for verbose is basically essential to see what could go wrong. At this point, if you actually pass the discovery step (always the first step of the join command), you will have some pretty detailed errors to follow if something happens and the worst should be gone.

Good luck!