If you weren’t able to succeed in integrating Active Directory into Linux, don’t worry. This article will show you how to test the Kerberos authentication and join the Active Directory domain manually so you can identify the problem.
Launch the terminal window and type in the highlighted items below.
Test the Kerberos authentication
Kerberos is an authentication mechanism used by Active Directory to verify user or host identity. We will use kinit, an executable used to obtain Kerberos access granting ticket, to test the Kerberos authentication mechanism.
[root@mail ~]# kinit bugsbunny
Change bugsbunny to any Active Directory user account.
If it replies
- Cannot resolve network address for KDC in requested realm while getting initial credentials
DNS problem, check the DNS or use ip addresses in the Domain Controllers field of the Winbind Settings.
- Cannot find KDC for requested realm while getting initial credentials
Check the spelling of your Active Directory realm and check the spelling in Winbind Settings. Capitalization is important.
- Client not found in Kerberos database while getting initial credentials
Check the user name you used if it exists in Active Directory.
- Cannot contact any KDC for requested realm while getting initial credentials
Check if the domain controller you specified in Winbind Settings is indeed working is not firewalled.
Password for bugsbunny@ACME.LOCAL: type in the password here
If it replies
- Preauthentication failed while getting initial credentials
It means the password is wrong.
- Password has expired while getting initial credentials
The password is no longer valid and needs to be changed.
- Clock skew too great while getting initial credentials
Synchronize your clocks using NTP. For a quick and temporary fix, use net time set to synchronize time with the domain controller.
To permanently fix the problem, both the Active Directory server and the Linux server should synchronize their time with an NTP server. See how to synchronize system clock in Linux. For Windows, use the command
net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org"
Replace “0.pool.ntp.org …” with your preferred NTP server.
- KDC reply did not match expectations while getting initial credentials
Make sure the realm is correct and capitalized in /etc/krb5.conf. If the realm is ACME.LOCAL, this error will appear if ACME, acme, acme.local is used as the realm.
Join the Active Directory Domain
[root@mail ~]# net ads join -U administrator
Replace administrator with any user name having Domain Admin rights. Specify your password when asked. You should be able to join the Active Directory domain now.
After successfully joining, you need to restart winbind using the command below.
[root@mail ~]# service winbind restart
Visit the forum to ask for help or to give a comment.