1

I've followed the tutorial at this link https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

Everything seems to be configured somewhat correctly, net rpc join worked and the realm is listed when entering the command "realm list" but I am still getting an error when trying to net ads join

kinit works and gives me a ticket shown in klist. wbinfo -g gives no output. wbinfo -a user%pass gives:

plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user jball with challenge response

sudo net ads testjoin -S domain.dc.com -U username -d 3 returns a bunch of errors such as failed to resolve _ldap._tcp..... (Success) and Failed to send DNS query (NT_STATUS_UNSUCCESSFUL). It successfully contacts the LDAP server, but ends in an error message saying 

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: LDAP_INVALID_CREDENTIALS

If any more information is needed or if you would like me to post any config files please let me know, I will respond asap. Any help would be greatly appreciated, thanks.

sebix
  • 4,175
  • 2
  • 25
  • 45
Riptyde4
  • 121
  • 1
  • 6
  • Fist thing I'd check is DNS, `Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)` suggests problem here, please show us the content of `/etc/resolv.conf` and `/etc/hosts`, does `/etc/resolv.conf` points to Active Directory DNS? Does `_ldap._tcp...` resolve correctly using nslookup? If no, you need to fix it... – Michal Sokolowski Jun 16 '15 at 19:31
  • @MichalSokolowski My hosts file reflects the dc ip and aliases it to the correct name, and I also have the dc defined as a nameserver in my resolv.conf. I'll try the nslookup now. – Riptyde4 Jun 16 '15 at 20:40
  • @MichalSokolowski So I ran nslookup -q=srv ldap._tcp.dc._.msdcs.my.domain and it returns Server: 127.0.1.1 Address 127.0.1.1#53 and says "** server can't find _ldap.tcp_tcp.dc._msdcs.my.domain: NXDOMAIN" What should I do?? – Riptyde4 Jun 16 '15 at 20:57
  • @ Riptyde4 you should add to your `/etc/resolv.conf` IP address of Active Directory's DNS server, most probably the IP of PDC itself. This should be sufficient, does this query resolve @ PDC itself? – Michal Sokolowski Jun 17 '15 at 03:45
  • @ Riptyde4: What about `nslookup -q=srv ldap._tcp.dc._.msdcs.my.domain IP_address_of_domain_DNS_server` ? – Michal Sokolowski Jun 17 '15 at 03:58

1 Answers1

0

You can try use sssd instead winbind: https://help.ubuntu.com/lts/serverguide/sssd-ad.html. Winbind as samba-technicall newsgroup suggests is now under heavy development so there will be radical changes in the future, main reason of that is to allow interdomain trusts. Please read this carefully: http://rhelblog.redhat.com/2015/04/02/sssd-vs-winbind/

Michal Sokolowski
  • 1,461
  • 1
  • 11
  • 24
  • I've switched over to sssd and still have the same exact issue and identical output from the net ads join command – Riptyde4 Jun 16 '15 at 20:59