Step 1: Determine if it is truly connected to the domain.
net ads leave domain.local -U jsmith.adm No realm set, are we joined ?
Step 2: Retry joining domain
net ads join domain.local -U jsmith.adm
I've seen the following error:
libnet_join_ok: failed to get schannel session key from server dc.domain.local for domain DOMAIN. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Failed to join domain: failed to verify domain membership after joining: No trusted SAM account
Possible Fixes:
Double check the krb5.conf file for typos.
service smb restart; service winbind restart; service sssd restart;
I found another problem was that end users that had sudo access actually changed the ownership of the /tmp directory and while joining the domain, the process was able to create the temp files it needed. Here's how I figured it out.
Edit /etc/sssd/sssd.conf in the [domain] and [pam] sections set the value of: debug_level = 8. Restart sssd and log in again. Now check /var/log/sssd/krb5_child.log.
Here was my findings:
[root@box log]# tail sssd/krb5_child.log (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [unpack_buffer] (0x2000): No old ccache (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_569601190_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [check_use_fast] (0x0100): Not using FAST. (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [check_parent_stat] (0x0020): Private directory can only be created below a directory belonging to root or to [569601190].
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [create_ccache_dir] (0x0010): Check the ownership and permissions of krb5_ccachedir: [/tmp].
(Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [k5c_precreate_ccache] (0x0040): ccache creation failed. (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [k5c_ccache_setup] (0x0040): Cannot precreate ccache (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [privileged_krb5_setup] (0x0020): k5c_ccache_setup failed. (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [main] (0x0020): privileged_krb5_setup failed. (Thu Sep 22 13:34:17 2016) [[sssd[krb5_child[4528]]]] [main] (0x0020): krb5_child failed!
Another command that help troubleshoot this was:
KRB5_TRACE=/dev/stdout kinit admin
Source: Link Link Link Link Link
No comments:
Post a Comment