I am trying to join to the Windows domain in the %post chroot section of my kickstart script using kinit and net commands after setting up the samba, kerberos and sssd configurations in %pre.
My authconfig looks like this in the command section and generates the proper kerb5.conf and smb.conf
authconfig --disableldap \
--disablewinbindusedefaultdomain \
--disablewinbind \
--disablewinbindauth \
--smbsecurity=ads \
--smbworkgroup="$WORKGROUP" \
--smbrealm="$DOMAIN" \
--smbservers="$PDC" \
--enablemkhomedir \
--enablekrb5 \
--enablekrb5realmdns \
--enablekrb5kdcdns \
--krb5adminserver="$PDC" \
--krb5kdc="$PDC" \
--krb5realm="$DOMAIN" \
--enablelocauthorize \
--enablepamaccess \
--nostart \
--enablesssd \
--enablesssdauth \
--kickstart \
--update
I can obtain the Kerberos ticket and print it using klist.
$ echo -n "$PASS"|kinit ${USER}
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: linuxadmin@DEV.XXX.LOCAL
Valid starting Expires Service pricipal
05/05/15 08:59:08 05/05/15 18:59:07 krbtgt/DEV.XXX.LOCAL@DEV.XXX.LOCAL
renew until 05/12/15 08:59:08
But I always get this error when I run net command:
$ net ads join -k
Failed to join domain: failed to join domain 'DEV.XXX.LOCAL' over rpc: Access denied
I expect to see the keytab file /etc/krb5.keytab but it doesn't get created.
However, when I try to join again after the system reboots, it works fine:
Using short domain name -- DEV
Joined 'TEST' to dns domain 'dev.xxx.local'
PS. I have also noticed that when I put the build system(%post install stage running in VMware) to sleep and ssh to it then joining to the AD domain works without problems.
