Trying to join an AD domain (Sama 4 AD DC) from a specific (Ubuntu 20.04) server would fail with a « Server not found in Kerberos database » error:
# realm join -U john.doe -v AD_EXAMPLE_NET
* Resolving: _ldap._tcp.ad.example.net
* Performing LDAP DSE lookup on: 10.100.100.2
* Successfully discovered: ad.example.net
Password for john.doe:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain ad.example.net --domain-realm AD.EXAMPLE.NET --domain-controller 10.100.100.2 --login-type user --login-user john.doe --stdin-password
* Using domain name: ad.example.net
* Calculated computer account name from fqdn: SRV
* Using domain realm: ad.example.net
* Sending NetLogon ping to domain controller: 10.100.100.2
* Received NetLogon info from: smb.ad.example.net
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-dN4Dz2/krb5.d/adcli-krb5-conf-JLqdZ0
* Authenticated as user: john.doe@AD.EXAMPLE.NET
! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to ad.example.net domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
! Insufficient permissions to join the domainIt turns out that this problem was that the IP address of the AD controller would not resolve back in reverse to it’s original DNS name!
The explanation of this problem (and solution) was found in the following post: https://aws.nz/best-practice/ad-join/
The solution is either to:
- set a correct DNS reverse PTR that points back to the DNS name of the AD controller
- or add the option
rnds = falsein the[libdefaults]setion in `/etc/krb5.conf`
Ping : ubuntu 20.04でドメインコントローラを利用 – ポカリなページ