If you weren’t able to succeed in integrating Active Directory into Linux, don’t worry. This article will show you how to test the Kerberos authentication and join the Active Directory domain manually so you can identify the problem.

Launch the terminal window and type in the highlighted items below.

Test the Kerberos authentication

Kerberos is an authentication mechanism used by Active Directory to verify user or host identity. We will use kinit, an executable used to obtain Kerberos access granting ticket, to test the Kerberos authentication mechanism.

[root@mail ~]# kinit bugsbunny

Change bugsbunny to any Active Directory user account.

If it replies

  • Cannot resolve network address for KDC in requested realm while getting initial credentials

    DNS problem, check the DNS or use ip addresses in the Domain Controllers field of the Winbind Settings.

  • Cannot find KDC for requested realm while getting initial credentials

    Check the spelling of your Active Directory realm and check the spelling in Winbind Settings. Capitalization is important.

  • Client not found in Kerberos database while getting initial credentials

    Check the user name you used if it exists in Active Directory.

  • Cannot contact any KDC for requested realm while getting initial credentials

    Check if the domain controller you specified in Winbind Settings is indeed working is not firewalled.

See Winbind Setting for RHEL/CentOS 5
See Winbind Setting for RHEL/CentOS 4

Password for bugsbunny@ACME.LOCAL: type in the password here

If it replies

  • Preauthentication failed while getting initial credentials

    It means the password is wrong.

  • Password has expired while getting initial credentials

    The password is no longer valid and needs to be changed.

  • Clock skew too great while getting initial credentials

    Synchronize your clocks using NTP. For a quick and temporary fix, use net time set to synchronize time with the domain controller.

    To permanently fix the problem, both the Active Directory server and the Linux server should synchronize their time with an NTP server. See how to synchronize system clock in Linux. For Windows, use the command

    net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org"

    Replace “0.pool.ntp.org …” with your preferred NTP server.

  • KDC reply did not match expectations while getting initial credentials

    Make sure the realm is correct and capitalized in /etc/krb5.conf. If the realm is ACME.LOCAL, this error will appear if ACME, acme, acme.local is used as the realm.

Join the Active Directory Domain

[root@mail ~]# net ads join -U administrator

Replace administrator with any user name having Domain Admin rights. Specify your password when asked. You should be able to join the Active Directory domain now.

Restart winbind

After successfully joining, you need to restart winbind using the command below. 

[root@mail ~]# service winbind restart

Visit the forum to ask for help or to give a comment.

***
Posted on 4/25/2007 and last updated on 4/23/2011
Filed under Active Directory , Kerberos , Samba