2

I have successfully built an Active Director on AWS. I can ping the directory from Centos7 EC2 instance located in the same VPC. Now, I try to join the realm, but I receive the following errors:

        [ec2-user@ip-172-22-2-182 ~]$ sudo realm join -U admin@corp.xxx.com corp.xxx.com --verbose
 * Resolving: _ldap._tcp.corp.xxx.com
 * Resolving: corp.xxx.com
 * Performing LDAP DSE lookup on: 172.22.2.34
 * Successfully discovered: corp.xxx.com
Password for admin@corp.xxx.com: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain xxx.com --domain-realm CORP.xxx.COM --domain-controller 172.22.2.34 --login-type user --login-user admin@xxx.com --stdin-password
 * Using domain name: corp.xxx.com
 * Calculated computer account name from fqdn: IP-172-22-2-182
 * Using domain realm: xxx.com
 * Sending netlogon pings to domain controller: cldap://172.22.2.34
 * Received NetLogon info from: WIN-QUUMO7C7PU3.xxx.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-g1oscN/krb5.d/adcli-krb5-conf-RlQBkY
 ! Couldn't get kerberos ticket for: admin@xxx.com: Cannot find KDC for realm "xxx.com"
adcli: couldn't connect to xxx.com domain: Couldn't get kerberos ticket for: admin@xxx.com: Cannot find KDC for realm "xxx.com"
 ! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain
[ec2-user@ip-172-22-2-182 ~]$

Anyone knows how to resolve it? Amazon Documentation does not say anything about installing Samba and its integration with AWS Windows Active Directory. It only has this link to enroll the host enter link description here

Thanks

Sam
  • 31
  • 1
  • 2
  • 4
  • You don't need Samba to join the domain - Kerberos handles that. The relevant error here is "Cannot find KDC for realm "xxx.com". Your Centos7 instance can't find the Kerberos realm (AD domain). The article you cited talks about configuring sssd.conf - which you haven't posted. Need to see that to offer better advice. – T-Heron Nov 17 '16 at 13:27
  • Don't know about AWS custom rules, but from a vanilla Kerberos point of view, it looks like you have a problem mapping network **domains** to Kerberos **realms** -- your Kerberos ticket is granted for "admin" in realm `corp.xxx.com` but your machine is part of domain `xxx.com` and your Kerberos client config (typically in `/etc/krb5.conf`) does not mention how to map this domain to that realm (or any other realm). – Samson Scharfrichter Nov 18 '16 at 13:31

1 Answers1

11

Not sure if this is still unresolved, but I encountered the same error as well when joining an Ubuntu machine to my domain... If you are using Ubuntu 16.04, you must enter the domain name portion of the username with all capital letters.

For example, admin@CORP.XXX.COM corp.xxx.com --verbose, worked for me.

csw
  • 111
  • 1
  • 3