Description
This article describes how to resolve the error 'Included profile file could not be read' when trying to join FortiNAC to a domain under Network -> RADIUS -> 'Winbind' Tab.
Scope
FortiNAC.
Solution
FortiNAC can sometimes, when trying to join it to a domain, produce the error 'Included profile file could not be read'.
If this occurs, other issues may include:
- Other Kerberos-related errors.
- Packet captures showing LDAP/SMB traffic, but no Kerberos communication.
Error:
smb_krb5_init_context_common: Krb5 context initialization failed (Included profile file could not be read)
kerberos_kinit_password_ext: kerberos init context failed (Included profile file could not be read)
kerberos_kinit_password administrator@FORTI.LAB failed: Included profile file could not be read
smb_krb5_init_context_common: Krb5 context initialization failed (Included profile file could not be read)
smb_krb5_init_context_common: Krb5 context initialization failed (Included profile file could not be read)
secrets_domain_info_kerberos_keys: kerberos init context failed (Included profile file could not be read)
secrets_store_JoinCtx: secrets_domain_info_password_create(pw) failed for FORTI - NT_STATUS_UNSUCCESSFUL
libnet_join_joindomain_store_secrets: secrets_store_JoinCtx() failed NT_STATUS_UNSUCCESSFUL
Failed to join domain: This machine is not currently joined to a domain.
This can be caused by missing files. In particular:
- Make sure the file /etc/krb5.conf is presented.
This file must be in the /etc directory. Otherwise, FortiNAC will not be able to join the domain and will throw the above error. - Clone the old krb5.conf.old file (if present) to a new a krb5.conf file.
# cp /etc/krb5.conf.old /etc/krb5.conf
- Make sure the directory /etc/krb5.conf.d is present.
If the directory is not present, or there is no krb.conf.old file, contact Fortinet Technical Support for further assistance.
