Bug 15727 - net ad join fails with "Failed to join domain: failed to create kerberos keytab"
Summary: net ad join fails with "Failed to join domain: failed to create kerberos keytab"
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Noel Power
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-27 11:12 UTC by Noel Power
Modified: 2024-10-19 08:33 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Noel Power 2024-09-27 11:12:16 UTC

    
Comment 1 Noel Power 2024-10-18 09:11:16 UTC
on a to be joined system (with no pre-existing /etc/krb5.keytab)

joining to windows AD now fails (where previously it would succeed)


KRB5_CONFIG=/tmp/YaST2-22963-aVzKaP/krb5.conf net ads join  -s /tmp/YaST2-22963-aVzKaP/smb.conf 

e.g.

pw2kt_process_add_info: Failed to parse principal: RestrictedKrbHost/TW2024
Failed to join domain: failed to create kerberos keytab

where krb5.conf & smb.conf are minimal config (provided as part of yast2 to provision a windows client)


krb5.conf

[realms]
	SOMETESTDOMAIN1.MY.COM = {
	kdc = SomeWinDC.sometestdomain1.my.com
	}
Comment 2 Noel Power 2024-10-18 09:13:15 UTC
but... it appears adding section



[libdefaults]
	default_realm = SOMETESTDOMAIN1.MY.COM


to krb5.conf fixes the problem.
Comment 3 Rowland Penny 2024-10-19 08:33:16 UTC
(In reply to Noel Power from comment #2)

I can remember testing (quite a few years ago) just what was required in /etc/krb5.conf and it turned out it was just that, you do not need the '[realms]' part.

Also, since when did yast run on a Windows machine ?