Join Ubuntu 14.04 LTS with Active Directory using realm, sssd and adcli

Question

I'm setting up a new network with a Windows 2012 machine running AD DS. I have several Ubuntu 14.04 I want to join in the domain for authentication. I've managed to do so on one of these servers using realmd, sssd and adcli this was pretty straightforward.

However on at least 2 other servers I cannot get the same setup to work. The big difference between the two is that they reside in a different subnet. I've checked: - Routing - DNS - disabled all firewall rules on both the firewall and the DC.

I kan successfully issue a kinit but while joing adcli claims it cannot contact a KDC.

Hopefully you guys can point out my failure.

Kind regards

root@lb02:~# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:ea:a5:b6 brd ff:ff:ff:ff:ff:ff
inet ***.***.***.**/** brd ***.***.***.*** scope global net
   valid_lft forever preferred_lft forever
inet6 ....
3: www: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:70:11:86 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global www
   valid_lft forever preferred_lft forever
inet6 ....

root@lb02:~# cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
default_realm = ACME.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = trye

[realms]
ACME.COM = {
        kdc = ad01.acme.com
        admin_server = ad01.acme.com
        default_domain = ACME.COM
}

[domain_realm]
.acme.com = ACME.COM
acme.com = ACME.COM

root@lb02:~# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kvanhagen@ACME.COM

Valid starting       Expires              Service principal
07/08/2015 16:19:55  07/09/2015 02:19:55  krbtgt/PRO4ALL.COM@ACME.COM
        renew until 07/09/2015 16:19:52

root@lb02:~# dig -t SRV _kerberos._tcp.acme.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._tcp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.acme.com.    IN      SRV

;; ANSWER SECTION:
_kerberos._tcp.acme.com. 600 IN      SRV     0 100 88 ad01.acme.com.

;; ADDITIONAL SECTION:
ad01.acme.com.       3600    IN      A       10.2.4.1

;; Query time: 2 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:24:43 CEST 2015
;; MSG SIZE  rcvd: 107

root@lb02:~# dig -t SRV _kerberos._udp.acme.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._udp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.acme.com.    IN      SRV

;; ANSWER SECTION:
_kerberos._udp.acme.com. 600 IN      SRV     0 100 88 ad01.acme.com.

;; ADDITIONAL SECTION:
ad01.acme.com.       3600    IN      A       10.2.4.1

;; Query time: 1 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:46:25 CEST 2015
;; MSG SIZE  rcvd: 107

root@lb02:~# ping -c4 ad01.acme.com

PING ad01.acme.com (10.2.4.1) 56(84) bytes of data.
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=1 ttl=127 time=0.651 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=2 ttl=127 time=0.620 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=3 ttl=127 time=0.721 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=4 ttl=127 time=0.750 ms

--- ad01.acme.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.620/0.685/0.750/0.058 ms

C:\Users\Administrator>ping lb02

Pinging lb02.acme.com [10.2.1.2] with 32 bytes of data:
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63

Ping statistics for 10.2.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

kvanhagen@lb02:~$ telnet ad01.acme.com 88

Trying 10.2.4.1...
Connected to ad01.acme.com.

root@lb02:~# realm --membership-software=adcli discover acme.com

acme.com
  type: kerberos
  realm-name: ACME.COM
  domain-name: acme.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

root@lb02:~# realm --verbose join acme.com

 * Resolving: _ldap._tcp.acme.com
 * Performing LDAP DSE lookup on: 10.2.4.1
 * Successfully discovered: acme.com
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain acme.com --domain-realm ACME.COM --domain-controller 10.2.4.1 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-MCBF1X
 * Using domain name: acme.com
 * Calculated computer account name from fqdn: LB02
 * Using domain realm: acme.com
 * Sending netlogon pings to domain controller: cldap://10.2.4.1
 * Received NetLogon info from: ad01.acme.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-v7Y0Pg/krb5.d/adcli-krb5-conf-eJg20h
 * Looked up short domain name: ACME
 * Using fully qualified name: lb02
 * Using domain name: acme.com
 * Using computer account name: LB02
 * Using domain realm: acme.com
 * Calculated computer account name from fqdn: LB02
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: lb02
 * Using domain name: acme.com
 * Using computer account name: LB02
 * Using domain realm: acme.com
 * Looked up short domain name: ACME
 * Found computer account for LB02$ at: CN=LB02,CN=Computers,DC=acme,DC=com
 ! Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
adcli: joining domain acme.com failed: Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
 ! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain