Pages : 1
#1 Le 26/01/2022, à 16:02
- Nym
Impossible de remettre une machine dans l'AD
Bonjour.
J'ai une VM Ubuntu 18.04.1 (kernel 5.4.0-1067-azure) qui était jointe à un domaine Active Directory 2012. À la suite de problèmes d'authentification des utilisateurs vis-à-vis de l'AD pour se connecter sur la VM Ubuntu, j'ai voulu la sortir du domaine (realm leave) et l'y remettre (realm join). Mais je n'arrive plus à la joindre au domaine. Voilà les erreurs que j'ai :
sudo realm --verbose join mon_domaine.local --user=admin_domaine
* Resolving: _ldap._tcp.mon_domaine.local
* Performing LDAP DSE lookup on: 10.50.1.4
* Successfully discovered: mon_domaine.local
Password for admin_domaine:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain mon_domaine.local --domain-realm MON_DOMAINE.LOCAL --domain-controller 10.50.1.4 --os-name Ubuntu --os-version 18.04 --login-type user --login-user admin_domaine --stdin-password
* Using domain name: mon_domaine.local
* Calculated computer account name from fqdn: MA_VM
* Using domain realm: mon_domaine.local
* Sending netlogon pings to domain controller: cldap://10.50.1.4
* Received NetLogon info from: mon_pdc.mon_domaine.local
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-ORn4fi/krb5.d/adcli-krb5-conf-V9NAvn
* Authenticated as user: admin_domaine@MON_DOMAINE.LOCAL
* Using GSS-SPNEGO for SASL bind
* Looked up short domain name: mon_domaine
* Using fully qualified name: ma_vm
* Using domain name: mon_domaine.local
* Using computer account name: MA_VM
* Using domain realm: mon_domaine.local
* Calculated computer account name from fqdn: MA_VM
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for MA_VM$ at: CN=MA_VM,CN=Computers,DC=mon_domaine,DC=local
! Cannot set computer password: Authentication error
adcli: joining domain mon_domaine.local failed: Cannot set computer password: Authentication error
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
Et :
KRB5_TRACE=/dev/stdout /usr/sbin/adcli join --verbose --domain mon_domaine.local --domain-realm MON_DOMAINE.LOCAL --domain-controller 10.50.1.4 --os-name Ubuntu --os-version 18.04 --login-type user --login-user admin_domaine
* Using domain name: mon_domaine.local
* Calculated computer account name from fqdn: MA_VM
* Using domain realm: mon_domaine.local
* Sending netlogon pings to domain controller: cldap://10.50.1.4
* Received NetLogon info from: mon_pdc.mon_domaine.local
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-XkG9Ol/krb5.d/adcli-krb5-conf-QM9PBD
[28559] 1643208879.18729: Resolving unique ccache of type MEMORY
Password for admin_domaine@MON_DOMAINE.LOCAL:
[28559] 1643208883.485096: Getting initial credentials for admin_domaine@MON_DOMAINE.LOCAL
[28559] 1643208883.485098: Sending unauthenticated request
[28559] 1643208883.485099: Sending request (178 bytes) to MON_DOMAINE.LOCAL
[28559] 1643208883.485100: Resolving hostname 10.50.1.4
[28559] 1643208883.485101: Sending initial UDP request to dgram 10.50.1.4:88
[28559] 1643208883.485102: Received answer (189 bytes) from dgram 10.50.1.4:88
[28559] 1643208883.485103: Response was from master KDC
[28559] 1643208883.485104: Received error from KDC: -1765328359/Additional pre-authentication required
[28559] 1643208883.485107: Preauthenticating using KDC method data
[28559] 1643208883.485108: Processing preauth types: 16, 15, 19, 2
[28559] 1643208883.485109: Selected etype info: etype aes256-cts, salt "MON_DOMAINE.LOCALadmin_domaine", params ""
[28559] 1643208883.485110: AS key obtained for encrypted timestamp: aes256-cts/3F84
[28559] 1643208883.485112: Encrypted timestamp (for 1643208883.408423): plain 301AA011180F32303232303132363134353434335AA1050203063B67, encrypted 629E15682EE12B709A30AE7A8E78D636DD7D7697E73A6E35CD3CD79E9ED4F3ACDFCA6E2FC704B9DC719C6DB2B4F190D8362741CE9340BA86
[28559] 1643208883.485113: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[28559] 1643208883.485114: Produced preauth for next request: 2
[28559] 1643208883.485115: Sending request (256 bytes) to MON_DOMAINE.LOCAL
[28559] 1643208883.485116: Resolving hostname 10.50.1.4
[28559] 1643208883.485117: Sending initial UDP request to dgram 10.50.1.4:88
[28559] 1643208883.485118: Received answer (94 bytes) from dgram 10.50.1.4:88
[28559] 1643208883.485119: Response was from master KDC
[28559] 1643208883.485120: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[28559] 1643208883.485121: Request or response is too big for UDP; retrying with TCP
[28559] 1643208883.485122: Sending request (256 bytes) to MON_DOMAINE.LOCAL (tcp only)
[28559] 1643208883.485123: Resolving hostname 10.50.1.4
[28559] 1643208883.485124: Initiating TCP connection to stream 10.50.1.4:88
[28559] 1643208883.485125: Sending TCP request to stream 10.50.1.4:88
[28559] 1643208883.485126: Received answer (1712 bytes) from stream 10.50.1.4:88
[28559] 1643208883.485127: Terminating TCP connection to stream 10.50.1.4:88
[28559] 1643208883.485128: Response was from master KDC
[28559] 1643208883.485129: Processing preauth types: 19
[28559] 1643208883.485130: Selected etype info: etype aes256-cts, salt "MON_DOMAINE.LOCALadmin_domaine", params ""
[28559] 1643208883.485131: Produced preauth for next request: (empty)
[28559] 1643208883.485132: AS key determined by preauth: aes256-cts/3F84
[28559] 1643208883.485133: Decrypted AS reply; session key is: aes256-cts/5E50
[28559] 1643208883.485134: FAST negotiation: unavailable
[28559] 1643208883.485135: Initializing MEMORY:qcf1vSp with default princ admin_domaine@MON_DOMAINE.LOCAL
[28559] 1643208883.485136: Storing admin_domaine@MON_DOMAINE.LOCAL -> krbtgt/MON_DOMAINE.LOCAL@MON_DOMAINE.LOCAL in MEMORY:qcf1vSp
[28559] 1643208883.485137: Storing config in MEMORY:qcf1vSp for krbtgt/MON_DOMAINE.LOCAL@MON_DOMAINE.LOCAL: pa_type: 2
[28559] 1643208883.485138: Storing admin_domaine@MON_DOMAINE.LOCAL -> krb5_ccache_conf_data/pa_type/krbtgt\/MON_DOMAINE.LOCAL\@MON_DOMAINE.LOCAL@X-CACHECONF: in MEMORY:qcf1vSp
* Authenticated as user: admin_domaine@MON_DOMAINE.LOCAL
* Using GSS-SPNEGO for SASL bind
[28559] 1643208883.485144: Getting credentials admin_domaine@MON_DOMAINE.LOCAL -> ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL using ccache MEMORY:qcf1vSp
[28559] 1643208883.485145: Retrieving admin_domaine@MON_DOMAINE.LOCAL -> ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL from MEMORY:qcf1vSp with result: -1765328243/Matching credential not found
[28559] 1643208883.485146: Retrieving admin_domaine@MON_DOMAINE.LOCAL -> krbtgt/MON_DOMAINE.LOCAL@MON_DOMAINE.LOCAL from MEMORY:qcf1vSp with result: 0/Success
[28559] 1643208883.485147: Starting with TGT for client realm: admin_domaine@MON_DOMAINE.LOCAL -> krbtgt/MON_DOMAINE.LOCAL@MON_DOMAINE.LOCAL
[28559] 1643208883.485148: Requesting tickets for ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL, referrals on
[28559] 1643208883.485149: Generated subkey for TGS request: aes256-cts/6E7F
[28559] 1643208883.485150: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[28559] 1643208883.485152: Encoding request body and padata into FAST request
[28559] 1643208883.485153: Sending request (1899 bytes) to MON_DOMAINE.LOCAL
[28559] 1643208883.485154: Resolving hostname 10.50.1.4
[28559] 1643208883.485155: Initiating TCP connection to stream 10.50.1.4:88
[28559] 1643208883.485156: Sending TCP request to stream 10.50.1.4:88
[28559] 1643208883.485157: Received answer (1881 bytes) from stream 10.50.1.4:88
[28559] 1643208883.485158: Terminating TCP connection to stream 10.50.1.4:88
[28559] 1643208883.485159: Response was from master KDC
[28559] 1643208883.485160: Decoding FAST response
[28559] 1643208883.485161: FAST reply key: aes256-cts/07A2
[28559] 1643208883.485162: TGS reply is for admin_domaine@MON_DOMAINE.LOCAL -> ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL with session key aes256-cts/7D58
[28559] 1643208883.485163: TGS request result: 0/Success
[28559] 1643208883.485164: Received creds for desired service ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL
[28559] 1643208883.485165: Storing admin_domaine@MON_DOMAINE.LOCAL -> ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL in MEMORY:qcf1vSp
[28559] 1643208883.485167: Creating authenticator for admin_domaine@MON_DOMAINE.LOCAL -> ldap/mon_pdc.mon_domaine.local@MON_DOMAINE.LOCAL, seqnum 849334760, subkey aes256-cts/79EB, session key aes256-cts/7D58
[28559] 1643208883.485172: Read AP-REP, time 1643208883.485168, subkey aes256-cts/047B, seqnum 631226123
* Looked up short domain name: mon_domaine
* Using fully qualified name: ma_vm
* Using domain name: mon_domaine.local
* Using computer account name: MA_VM
* Using domain realm: mon_domaine.local
* Calculated computer account name from fqdn: MA_VM
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for MA_VM$ at: CN=MA_VM,CN=Computers,DC=mon_domaine,DC=local
[28559] 1643208883.485177: Getting credentials admin_domaine@MON_DOMAINE.LOCAL -> kadmin/changepw@MON_DOMAINE.LOCAL using ccache MEMORY:qcf1vSp
[28559] 1643208883.485178: Retrieving admin_domaine@MON_DOMAINE.LOCAL -> kadmin/changepw@MON_DOMAINE.LOCAL from MEMORY:qcf1vSp with result: -1765328243/Matching credential not found
[28559] 1643208883.485179: Retrieving admin_domaine@MON_DOMAINE.LOCAL -> krbtgt/MON_DOMAINE.LOCAL@MON_DOMAINE.LOCAL from MEMORY:qcf1vSp with result: 0/Success
[28559] 1643208883.485180: Starting with TGT for client realm: admin_domaine@MON_DOMAINE.LOCAL -> krbtgt/MON_DOMAINE.LOCAL@MON_DOMAINE.LOCAL
[28559] 1643208883.485181: Requesting tickets for kadmin/changepw@MON_DOMAINE.LOCAL, referrals on
[28559] 1643208883.485182: Generated subkey for TGS request: aes256-cts/9471
[28559] 1643208883.485183: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[28559] 1643208883.485185: Encoding request body and padata into FAST request
[28559] 1643208883.485186: Sending request (1862 bytes) to MON_DOMAINE.LOCAL
[28559] 1643208883.485187: Resolving hostname 10.50.1.4
[28559] 1643208883.485188: Initiating TCP connection to stream 10.50.1.4:88
[28559] 1643208883.485189: Sending TCP request to stream 10.50.1.4:88
[28559] 1643208883.485190: Received answer (1807 bytes) from stream 10.50.1.4:88
[28559] 1643208883.485191: Terminating TCP connection to stream 10.50.1.4:88
[28559] 1643208883.485192: Response was from master KDC
[28559] 1643208883.485193: Decoding FAST response
[28559] 1643208883.485194: FAST reply key: aes256-cts/F5BC
[28559] 1643208883.485195: TGS reply is for admin_domaine@MON_DOMAINE.LOCAL -> kadmin/changepw@MON_DOMAINE.LOCAL with session key aes256-cts/4B36
[28559] 1643208883.485196: TGS request result: 0/Success
[28559] 1643208883.485197: Received creds for desired service kadmin/changepw@MON_DOMAINE.LOCAL
[28559] 1643208883.485198: Storing admin_domaine@MON_DOMAINE.LOCAL -> kadmin/changepw@MON_DOMAINE.LOCAL in MEMORY:qcf1vSp
[28559] 1643208883.485200: Creating authenticator for admin_domaine@MON_DOMAINE.LOCAL -> kadmin/changepw@MON_DOMAINE.LOCAL, seqnum 0, subkey aes256-cts/F338, session key aes256-cts/4B36
[28559] 1643208883.485202: Resolving hostname 10.50.1.4
[28559] 1643208883.485203: Sending initial UDP request to dgram 10.50.1.4:464
[28559] 1643208883.485204: Received answer (97 bytes) from dgram 10.50.1.4:464
! Cannot set computer password: Authentication error
adcli: joining domain mon_domaine.local failed: Cannot set computer password: Authentication error
Bien entendu admin_domaine est administrateur du domain. Les contrôleurs du domaine sont encore en Windows Server 2012, mais avec les derniers patchs de janvier 2022.
J'ai fait un essaie en détruisant l'objet computer MA_VM$ dans l'AD : il est recréé, mais toujours le même problème avec le mot de passe.
Une idée ?
Nym
Ubuntu 18.04.1 LTS 64bits
Hors ligne