I have the following principals :
servicePrincipalName
nfs/client.domain.org/client
servicePrincipalName
nfs/client.domain.org/client.domain.org
That's a lot of slashes...?
> I used 'realm' command for adding new principals for the
machine (as
> long my 'history' can reach)
>
> realm join -v -U USER --user-principal=host/client.domain.org
> --computer-ou OU="Linux computers",OU=ADResources
DOMAIN.ORG
>
> realm join -v -U USER --user-principal=nfs/client.domain.org
> --computer-ou OU="Linux computers",OU=ADResources
DOMAIN.ORG
>
> At last, I ' leaved' domain and 'rejoined' again - but it seems that
it wasn't done clean.
> Now I have no UPN entry in my /etc/krb5.ketab.
Are you sure? Easiest way to test if it's a UPN is to do:
If that works, it's definitely a UPN.
> What is a clean way of "leaving" domain for the
machine, with removing all entries inclusiv DNS entries?
I know nothing about realm. With samba, net ads leave should be
sufficient I thought.
You are right, my upn doesn’t work - there is that attribute in AD , but credentials
don't work.
Anyway somehow my 'client' becomes crappy with all the slashed attributes, need
to remove/join again.
'Realmd' is relatively new, together with sssd it suppose to make Linux AD
integration working out of the box.
Almost.
Realmd is based on self discovery of AD or IPA services, auto configures sssd, makes
sssd.conf and starts for first time sssd.
It actually works fine in Ubuntu Saucy for authentication/login until the point I wanted
automount with nfs4+Kerberos
working.
It would be very powerful. By now I would prefer 'msktutil', I think, for doing
the 'join' job - its operations are described more precisely, nothing hidden.
Best
Longina