Home / server / Questions / 1064347
In Process
djneely
Asked: 2021-05-22 10:15:52 +0800 CST

Joining AD through haproxy Ubuntu 18.04

  • 772

For starters I have several Ubuntu servers successfully joined to the domain for the servers that sit in the same subnet as the DCs. However, I'm working to join a few Ubuntu machines through haproxy but running into an odd error that has me stuck at the moment. Worrying about auth flapping I disabled one of the DCs through haproxy for now.

haproxy config:

frontend DC
    bind *:389
    bind *:636
    bind *:88
    bind *:464
    mode tcp
    option tcplog
    default_backend DC_Backend

backend DC_Backend
    mode tcp
    server dc1 X.X.X.21

All in all connectivity all seems good.

On the server I'm connecting from I'm authing with the same creds as I have successfully done so inside the network. Also, I've added the int.domain.com IP in /etc/hosts to point to the proxy's IP address (Y.Y.Y.20 int.domain.com)

realm join -U linux_ad_admin --computer-ou="OU=LinuxServers,OU=Servers,OU=IT_Systems" int.domain.com --verbose

Log:

 * Resolving: _ldap._tcp.int.domain.com
 * Resolving: int.domain.com
 * Performing LDAP DSE lookup on: Y.Y.Y.20
 * Successfully discovered: int.domain.com
Password for linux_ad_admin: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain int.domain.com --domain-realm INT.DOMAIN.COM --domain-controller Y.Y.Y.20 --computer-ou OU=LinuxServers,OU=Servers,OU=IT_Systems,dc=int,dc=domain,dc=com --login-type user --login-user linux_ad_admin --stdin-password
 * Using domain name: int.domain.com
 * Calculated computer account name from fqdn: DMZHOSTTEST1
 * Using domain realm: int.domain.com
 * Sending NetLogon ping to domain controller: Y.Y.Y.20
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-llM0zh/krb5.d/adcli-krb5-conf-qOXHOs
 * Authenticated as user: [email protected]
 * Using GSS-SPNEGO for SASL bind
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to int.domain.com domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain

Any idea what I'm missing here? This same command/account joins the servers to the AD no problem while in the same subnet. But going through the proxy is suddenly giving me the insufficient permissions error. Are additional open ports needed to go through haproxy?

ubuntu active-directory realm

1 Answers

  1. Not sure if this was the best approach but was finally able to get the server joined to the domain.

    haproxy.cfg

    frontend DC
    bind *:88
    bind *:135
    bind *:138
    bind *:139
    bind *:389
    bind *:464
    bind *:636
    bind *:1389
    bind *:3268
    bind *:3269
    mode tcp
    option tcplog
    default_backend DC_Backend

backend DC_Backend
    mode tcp
    server dc1 X.X.X.21

    In addition we opened up some UDP proxying as well using pen

    pen -r -U 53 X.X.X.21:53
pen -r -U 88 X.X.X.21:88
pen -r -U 135 X.X.X.21:135
pen -r -U 138 X.X.X.21:138
pen -r -U 389 X.X.X.21:389
pen -r -U 464 X.X.X.21:464

    The issue now is determining how to allow the users to authenticate through the proxy. Running into another issue [nss] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]. Trying to work through that now.

    • 0