DNS is working oke, becasue i get the srv records for all the domain controllers. I don't make use off hosts files.

I also checked the policies.

Hello,

Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for several ways to setup AD. Full integration and LDAP only integration.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Could it be the firewall blocking kerberos?

-Arnim van Lieshout

-

Blogging: http://www.van-lieshout.com

Twitter:

If you find this information useful, please award points for "correct" or "helpful".

@Texiwill, i have no intention of installing 3rd party rpm's inside the service console.

@Arnim, the firewall is all oke.

@Vmmeup i noticed the syntax,i posted it wrong on the forum. For the script see my document section in my profile:

http://communities.vmware.com/people/RobMokkink?view=documents

I also have my theorie about the problem, and that is the amount of data for the dns query when doing kerberos/ad authentication. It is a really big environment.

I think i will stick to the -addc=<fqdn of domain controller>, i think i will create another tool with powershell that will allow us to update the kdc, maybe a i will add two servers.

Hello,

@Texiwill, i have no intention of installing 3rd party rpm's inside the service console.

The only way to properly test AD is to use kinit. It is not there by default. So you need to install in a 'safe' way something like krb5-workstation then remove it afterwards, even install it using a different ROOT directory that is something like /tmp/temproot or whatever you want. Then way you can just remove /tmp/temproot and remove the krb5-workstation RPM as necessary.

The key is to follow the instructions for testing and verifying everything is setup properly.... krb5.conf for example. Time sync is another. Both the LDAP and Winbind methods have pretty much the same testing steps short of using wbinfo.

I also have my theorie about the problem, and that is the amount of data for the dns query when doing kerberos/ad authentication. It is a really big environment.

I think i will stick to the -addc=<fqdn of domain controller>, i think i will create another tool with powershell that will allow us to update the kdc, maybe a i will add two servers.

I am not sure that is the real issue. But without kinit or joining the host to AD you will not actually get the errors that represent missing encryption protocols.

Good luck.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

In our development, test and acceptance everything works oke. I will keep the thread updated.

@Texiwell, i installed the krb5-workstation rpm. But still i get

kinit testuser

kinit(v5): Cannot resolve network addres for KDC in requested realm while getting initial credentials

Hello,

@Texiwell, i installed the krb5-workstation rpm. But still i get

kinit testuser

kinit(v5): Cannot resolve network addres for KDC in requested realm while getting initial credentials

Definitely some good information here. Go into /etc/krb5.conf and verify the KDC host name and ensure you can resolve this host from the Service Console using ping or nslookup. Can you post your krb5.conf file?

DNS will have to work for the KDC.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

Yes some good info, but like i stated in my previous post, we want to use the domain name for the kdc

Like kdc = example.com

In our development, test and acceptance environment it works but not in production.

I have spoken to a kerberos guru, and he stated that the kdc must be a fqdn of a host and not a domain. Still strange it did work in our other environments.

Hello,

Perhaps because in test/dev the AD domain name is actually a CNAME of a FQDN for the AD server. I know I set up my AD domains that way. Linux only really speaks DNS Domains not AD Domains.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

I always use the domain over the fqdn. I have seen two issues with this depending on the AD environment. The first is I have had problems getting this to work in mixed mode domains and could determine why, the other was because the AD was locked down so tight you couldn't browse without authenticating.

Sid Smith-----

VCP, VTSP, CCNA, CCA(Xen Server), MCTS Hyper-V & SCVMM08

• Don't forget to award points for correct and helpful answers.

Hello,

You must have your AD DOMAIN as a CNAME for a machine within the DNS Domain then. Or you use the AD DOMAIN NAME as the DNS Domain name... Remember they are not always the same.

In Kerberos speak the 'Realm' is the AD Domain, and the KDC must be specified using a FDQN or something DNS can resolve.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

We decided to stick with the old way, two kdc's.

One of the domain controllers that is responsible for our site and one domain controller in the central site, so we have redundancy.

I will have a look into the problem in the future.

Now i will have to port our old powershell script to one with a gui.