adcli fails with "Couldn't authenticate to active directory: (...) Message stream modified"
Submitted by Philipp Wagner
Assigned to Stef Walter
Description
Created attachment 117737 adcli log
I'm trying to pre-create a computer account in AD with adcli using the command line:
adcli preset-computer --verbose --login-ccache --domain=ads.mwn.de --domain-ou='OU=Linux,OU=Computers,OU=LIS,OU=EI,OU=TU,OU=MWN' --domain-controller=mwndc.ads.mwn.de TUEILIS-ldtest2
This fails with the error message:
adcli: couldn't connect to ads.mwn.de domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)
I've attached the full log of the adcli call as attachment, with KRB5_TRACE=/dev/stderr enabled for full Kerberos logging.
Currently we are using msktutil to pre-create the computer accounts. This tool creates the accounts without problem in the same setup. I've attached the full log of that process as well for reference.
Notable things about our domain setup:
- realm is ads.mwn.de, hostnames of the PCs are *.lis.ei.tum.de
- the computer name is not equal to the hostname. In the example here, the FQDN is ldtest2.lis.ei.tum.de, the computername (netbios name) is TUEILIS-ldtest2. [This is just a side remark, I don't think it's currently possible to realize this in adcli. I will look into this as soon as this problem here is resolved.]
Googling around has led me to the impression that the error message "Message stream modified" is usually associated with capitalization problems -- unfortunately I haven't been able to figure out where.
Things I've tried:
- Made sure the temporary krb.conf is identical to the one written by msktutil: no change
- Used the current git version of adcli, as opposed to the Ubuntu 14.04 version (0.7.5): no change
- Played around with the --domain and --realm ADS.MWN.DE options: no change
- Tried the other tools (such as adcli join): same error
I'm a bit lost on this one. I'm trying to use adcli since msktutil doesn't allow to delete and reset computer accounts, and I need that feature.
Any ideas?
Attachment 117737, "adcli log":
adcli.txt