Realmd discovery and join problem

Latest response

Hello,
I am trying to do discovery with realmd "realm discover --verbose ABC.LCL"
The problem is that our AD domain is very large we have over 200 Domain Controllers in different location.
When i run the realmd to do discovery it randomly picks domain controllers to perform discovery which it does not have access to due firewalls and remote locations.

Resolving: _ldap._tcp.abc.lcl
* Performing LDAP DSE lookup on: 164.15.199.11
* Performing LDAP DSE lookup on: 164.15.131.131
* Performing LDAP DSE lookup on: 10.12.8.15
! Discovery timed out after 15 seconds
abc.lcl
type: kerberos
realm-name: ABC.LCL
domain-name: abc.lcl
configured: no

in the resolv.conf we have local domain controllers defined.
Is there a way to force realmd to perform discovery and domain join on the specific local domain controllers?

Thank you.

Responses

realmd uses adcli under the covers. There is an option for adcli that allows you to specify the domain controller to use. Maybe you could try this? It probably doesn't do all the nice extra stuff that realmd does, but if it gets you where you need to get, maybe it's worth it.

Has anyone found a workaround for this? When performing realm join in our domain it has the same issue. in the resolv.conf we have local domain controllers defined. Is there a way to force realmd to perform discovery and domain join on the specific local domain controllers?

I faced a similar issue when trying to join some of our RHEL boxes to AD. I was initially affected by the bug in Samba 4.9.1 so was unable to use net ads to perform the join, and couldn't use realm because the AD forest is so big it was timing out on the LDAP DSE lookups. After initializing kerberos with:

kinit [AD_admin_user_with_rights_to_add_machines]; klist (to verify kerberos ticket)

I found adcli to be the answer and joined the boxes using the following command:

adcli join --verbose -D [domain_name_in_lower_case] -R [domain_name_in_upper_case] -S [ip address of specific AD domain controller] -O [organization unit to which the machine was being added] -U [AD_admin_user_with_rights_to_add_machines]

The output from adcli was very informative and details what is happening and was very quick.