| View previous topic :: View next topic |
| Author |
Message |
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
 Posted: Wed Oct 12, 2011 12:45 pm Post subject: Error in joining to Active Directory |
 |
|
I am trying to join my gentoo box to Active Directory and I get the following error/errors:
| Code: |
localhost ~ # net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Using short domain name -- UFAD
Joined 'AT-TREYLINUX' to realm 'ad.ufl.edu'
[2011/10/12 06:36:56.842488, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password AT-TREYLINUX$@AD.UFL.EDU failed: Preauthentication failed
DNS update failed! |
What am I doing wrong and why cant I join Active Directory?
Here is the /etc/sambe/smb.conf file:
| Code: | [global]
workgroup = UFAD
server string = Samba Server %v
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
interfaces = lo eth0
bind interfaces only = yes
hosts allow = 10.32. 10.242. 128.
hosts deny = 0.0.0.0/0
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = AD.UFL.EDU
password server = 128.227.0.242
winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/zsh
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
#Uncomment if your domain controller requires LDAP signing.
#client ldap sasl wrapping = seal
|
Here is the /etc/conf.d/net
| Code: | # This blank configuration will automatically use DHCP for any net.*
# scripts in /etc/init.d. To create a more complete configuration,
# please review /usr/share/doc/openrc/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).
config_eth0=( "dhcp" )
dns_domain_lo="UFAD"
|
Here is /etc/hosts:
| Code: | # /etc/hosts: Local Host Database
#
# This file describes a number of aliases-to-address mappings for the for
# local hosts that share this file.
#
# In the presence of the domain name service or NIS, this file may not be
# consulted at all; see /etc/host.conf for the resolution order.
#
# IPv4 and IPv6 localhost aliases
127.0.0.1 at-treylinux.at.ufl.edu localhost at-treylinux
|
|
|
| Back to top |
|
 |
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Wed Oct 12, 2011 4:52 pm Post subject: |
|
|
| Please I need help with this |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Thu Oct 13, 2011 4:10 pm Post subject: |
|
|
| can anyone please help me with this? |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Thu Oct 13, 2011 7:38 pm Post subject: |
|
|
Hi,
it's been quite a long time since i last done that and i remember that i always got a negative answer during "net ads join", even when samba was able to use it afterwards (i suspected a timing problem back then and we've got a damn complicated ADS setup here).
-I always have a second /etc/hosts line with the external address of the machine itself, just in case.
-I'm also unable to update the dns record manually (net ads dns register -u myaduser) due to some special restrictions here, but it works flawless for domain lookups like `wbinfo -r myaduser`.
So please check first if it is not already working! 
Can you post your /etc/krb5.conf?
Do you have any interesting samba logs?
Do you see anything special on the DC's eventlog?
Is the computer object within the ADS? -I had to create mine manually first...
HTH, Cheers.
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Fri Oct 14, 2011 12:11 pm Post subject: |
|
|
Thank you for your reply, I went to retry to join Active Directory and now I get the below:
| Code: | # net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR |
So not sure what the issue was, I tested it the way you suggested and got (so I guess it is not already joined):
| Code: | # wbinfo -r at-adm-treyb
Could not get groups for user at-adm-treyb |
Here is my krb5.conf file:
| Code: | # cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = AD.UFL.EDU
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
AD.UFL.EDU = {
kdc = UFDC01.AD.UFL.EDU:88
admin_server = UFDC01.AD.UFL.EDU:464
default_domain = AD.UFL.EDU
}
[domain_realm]
.AD.UFL.EDU = AD.UFL.EDU
AD.UFL.EDU = AD.UFL.EDU
|
No krb5.log and I dont know where to find the samba log file. |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Fri Oct 14, 2011 1:27 pm Post subject: |
|
|
Ok, looks like kerberos itself now...
It should be "clockscrew" instead of "clock_screw", and I increased it to 600, just in case (have a look at your systems clock and probably also the one on your DC).
I do also not have the timesync variable set and have no ticket_lifetime as well as ccache_type.
You should be able to leave the ports out at the realms section, as they should get looked up via DNS.
Also i do not have an entry for kdc at all.
But i have something like that under realms (as domain would represent the short netbios domain name):
| Code: |
[realms]
DOMAIN.WHOLE.NAME = {
admin_server = DC.DOMAIN.WHOLE.NAME
default_domain = DOMAIN.WHOLE.NAME
v4_instance_convert = {
domain = domain.whole.name
}
}
|
the samba logs should get into /var/log/samba/
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Fri Oct 14, 2011 3:07 pm Post subject: |
|
|
I changed krb5.conf to:
| Code: | # cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
clockskew = 600
default_realm = AD.UFL.EDU
kdc_timesync = 1
forwardable = true
proxiable = true
[realms]
AD.UFL.EDU = {
admin_server = UFDC01.AD.UFL.EDU
default_domain = AD.UFL.EDU
v4_instance_convert = {
domain = ad.ufl.edu
}
}
[domain_realm]
.AD.UFL.EDU = AD.UFL.EDU
AD.UFL.EDU = AD.UFL.EDU
|
and I still get:
# net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR
Here is a log file.
| Code: | # cat log.smbd
[2011/10/14 09:57:35.454517, 0] printing/print_cups.c:109(cups_connect)
Unable to connect to CUPS server /var/run/cups/cups.sock:631 - No such file or directory
[2011/10/14 09:57:35.475773, 0] printing/print_cups.c:468(cups_async_callback)
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2011/10/14 09:57:35.476043, 1] smbd/server.c:282(remove_child_pid)
Could not find child 4263 -- ignoring
[2011/10/14 09:59:35, 0] smbd/server.c:1141(main)
smbd version 3.5.11 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
[2011/10/14 09:59:35.277516, 0] printing/print_cups.c:109(cups_connect)
Unable to connect to CUPS server /var/run/cups/cups.sock:631 - No such file or directory
[2011/10/14 09:59:35.277632, 0] printing/print_cups.c:468(cups_async_callback)
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2011/10/14 09:59:35.896831, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password LOCALHOST$@AD.UFL.EDU failed: Client not found in Kerberos database
[2011/10/14 09:59:35.897111, 0] printing/nt_printing.c:627(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2011/10/14 10:02:36.051763, 0] printing/print_cups.c:109(cups_connect)
Unable to connect to CUPS server /var/run/cups/cups.sock:631 - No such file or directory
[2011/10/14 10:02:36.051888, 0] printing/print_cups.c:468(cups_async_callback)
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2011/10/14 10:02:36.052146, 1] smbd/server.c:282(remove_child_pid)
Could not find child 2362 -- ignoring
|
|
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Sat Oct 15, 2011 7:02 am Post subject: |
|
|
That "domain" should corresond to your netbios shortname of the domain. This should be the same as the workgroup statement in smb.conf. This should be the domainname that is shown on a windows login screen at the bottom... normally it is just the first string of the whole name. (i think that also your smb.conf's "UFAD" is a bit wrong...)
| Code: |
v4_instance_convert = {
ad = ad.ufl.edu
}
|
Please start cups first, as this will not pollute your samba logs unnecessary.
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Mon Oct 17, 2011 2:25 pm Post subject: |
|
|
I changed the UFAD to AD.UFL.EDU in smb.conf and I got this:
| Code: | net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Failed to join domain: Invalid configuration ("workgroup" set to 'AD.UFL.EDU', should be 'UFAD') and configuration modification was not requested
|
When I change it back I get:
| Code: |
net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR
|
|
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Mon Oct 17, 2011 4:44 pm Post subject: |
|
|
| treyb wrote: | I changed the UFAD to AD.UFL.EDU in smb.conf and I got this:
|
No no, it should be the shortname (netbios). Commonly this is just the first part of the domain string, but could be UFAD in your case!?
The default domainname looks something like "company.local". The netbios name would then be just "companyname".
On a windows host that is logged on to the domain, you can find this info in a cmd.exe window by typing "echo %USERDOMAIN%".
That link is done for kerberos with the "v4_instance_convert" declaration in krb5.conf.
Did you got the computer object within the active directory?
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Mon Oct 17, 2011 7:23 pm Post subject: |
|
|
Everything I try I get:
| Code: | net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR
|
How do I fix that, my new files are:
| Code: | cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
clockskew = 600
default_realm = AD.UFL.EDU
kdc_timesync = 1
forwardable = true
proxiable = true
[realms]
AD.UFL.EDU = {
admin_server = UFDC01.AD.UFL.EDU
default_domain = AD.UFL.EDU
v4_instance_convert = {
ad = ad.ufl.edu
}
}
[domain_realm]
.AD.UFL.EDU = AD.UFL.EDU
AD.UFL.EDU = AD.UFL.EDU
|
and
| Code: | cat /etc/samba/smb.conf
[global]
workgroup = UFAD
server string = Samba Server %v
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
interfaces = eth0
bind interfaces only = yes
hosts allow = 10.32. 10.242. 128.
hosts deny = 0.0.0.0/0
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = yes
smb ports = 139
security = ADS
realm = AD.UFL.EDU
password server = 128.227.0.242
winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/zsh
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
#Uncomment if your domain controller requires LDAP signing.
#client ldap sasl wrapping = seal
|
|
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Tue Oct 18, 2011 5:16 am Post subject: |
|
|
Please find out first what your short netbios domainname is! echo %USERDOMAIN% on windows will tell you that. Please replace the "*shortdomainname*" with that value!
I disabled a few things and added a few others....
| Code: | default = FILE:/var/log/krb5.log
[libdefaults]
clockskew = 600
default_realm = AD.UFL.EDU
#kdc_timesync = 1 <-disabled
forwardable = true
proxiable = true
allow_weak_crypto = true <-added, just to get sure
[realms]
AD.UFL.EDU = {
admin_server = UFDC01.AD.UFL.EDU
default_domain = AD.UFL.EDU
v4_instance_convert = {
*shortdomainname* = ad.ufl.edu <-replace with your domain shortname, uncapitalized
}
}
[domain_realm]
.ad.ufl.edu = AD.UFL.EDU <-uncapitalized
ad.ufl.edu = AD.UFL.EDU <-uncapitalized
|
| Code: | [global]
workgroup = *shortdomainname* <-replace with your domain shortname in capital letters
server string = Samba Server %v
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
interfaces = eth0
bind interfaces only = yes
#hosts allow = 10.32. 10.242. 128. <-is this the right syntax!? disabled for now...
#hosts deny = 0.0.0.0/0 <-really!? disabled for now...
encrypt passwords = yes
#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 <- leave the default here, as 8192 could decrease your loopback performance...
#dns proxy = yes <-just leave the default here...
smb ports = 139 <-default values should work also here
security = ADS
realm = AD.UFL.EDU
password server = 128.227.0.242 <- is this the IP of UFDC01.AD.UFL.EDU???
#winbind separator = / <-should not be necessary, at least not for joining the domain
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
#template homedir = /home/%D/%U <-disabled for now
#template shell = /bin/zsh <- disabled for now
#client use spnego = yes <- disabled for now
#client ntlmv2 auth = yes <- disabled for now
#winbind use default domain = yes <- disabled for now
#restrict anonymous = 2 <- disabled for now
domain master = no
local master = no
preferred master = no
#os level = 0 <- disabled for now
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
netbios name = *thesambaservershostnamehere* <-please add your hostname!
|
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Tue Oct 18, 2011 11:43 am Post subject: |
|
|
OK, I made all the changes and I got some progress:
| Code: | # net ads join -U at-adm-treyb
Enter at-adm-treyb's password:
Using short domain name -- UFAD
Joined 'AT-TREYLINUX' to realm 'ad.ufl.edu'
DNS update failed!
|
When I run echo %USERDOMAIN% in my windows box I get UFAD. Which is what I have been using for the most part. I do apologize if I seem a little slow, but I am learning and I am converting from windows to linux. I chose Gentoo because I didn't want to grab a distro that is thrown on and just run (linux for idiots style), I want to know what was being done, I wanted to learn how linux works from the ground up.
Anyways I wasn't sure if the netbios name was the box that I am actually trying to join or not, but here is the updated smb.conf. The previous password server was what came up under as the name server in windows. ufdc01 is the domain controller that I am supposed to use for linux.
I thank you for all your help so far and any more you are willing to give
| Code: | cat /etc/samba/smb.conf
[global]
workgroup = UFAD
server string = Samba Server %v
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
interfaces = eth0
bind interfaces only = yes
#hosts allow = 10.32. 10.242. 128.
#hosts deny = 0.0.0.0/0
encrypt passwords = yes
#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#dns proxy = yes
smb ports = 139
security = ADS
realm = AD.UFL.EDU
password server = 10.5.187.250
#winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
#template homedir = /home/%D/%U
#template shell = /bin/zsh
#client use spnego = yes
#client ntlmv2 auth = yes
#winbind use default domain = yes
#restrict anonymous = 2
domain master = no
local master = no
preferred master = no
#os level = 0
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
netbios name = at-treylinux
|
|
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Tue Oct 18, 2011 2:55 pm Post subject: |
|
|
No problem at all. 
It is really not the easiest task to start with, if one is not familiar with Domain/kerberos/dns/samba stuff...
Back to your problem:
What do you have as nameserver in /etc/resolv.conf? Is there the domain DNS server? (This is commonly the DC itself)
By the way: I also get these DNS registering errors, even if the record is set and everything works.
What do you get with the following command? | Code: | | net ads status -U at-adm-treyb |
and/or | Code: | | net ads testjoin -u at-adm-treyb |
To issue just the DNS update: | Code: | | net ads dns register -U at-adm-treyb |
Another sidenote: You'll get a list of options with "net ?" and "net ads ?" as well as "net ads dns ?" and so on...
I suppose you don't have access to the DC's eventlog?!
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Tue Oct 18, 2011 3:01 pm Post subject: |
|
|
| Quote: | By the way: I also get these DNS registering errors, even if the record is set and everything works.
What do you get with the following command?
Code:
net ads status -U at-adm-treyb
and/or
Code:
net ads testjoin -u at-adm-treyb
To issue just the DNS update:
Code:
net ads dns register -U at-adm-treyb
|
Here is what I got:
| Code: | # net ads status -U at-adm-treyb
Enter at-adm-treyb's password:
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: at-treylinux
distinguishedName: CN=at-treylinux,OU=Workstations,OU=Computers,OU=WSG,OU=AT,OU=IT,OU=PROVOST,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
instanceType: 4
whenCreated: 20111003112511.0Z
whenChanged: 20111018113504.0Z
uSNCreated: 826468695
uSNChanged: 851214873
name: at-treylinux
objectGUID: e78c6f00-6658-4ffb-982e-99f3fe49f63c
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129628930181485185
lastLogon: 129629118139143277
localPolicyFlags: 0
pwdLastSet: 129634112925091828
primaryGroupID: 515
objectSid: S-1-5-21-1308237860-4193317556-336787646-1057491
accountExpires: 9223372036854775807
logonCount: 31
sAMAccountName: AT-TREYLINUX$
sAMAccountType: 805306369
dNSHostName: at-treylinux.at.ufl.edu
servicePrincipalName: HOST/at-treylinux.at.ufl.edu
servicePrincipalName: HOST/AT-TREYLINUX
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=ufl,DC=edu
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129634112930560508
|
| Code: | # net ads testjoin -U at-adm-treyb
Join is OK
|
| Code: | # net ads dns register -U at-adm-treyb
Enter at-adm-treyb's password:
DNS update failed!
|
If it helps I still have this when I ssh into the linux box: localhost ~ #
| Code: |
localhost ~ # cat /etc/resolv.conf
# Generated by dhcpcd from eth0
# /etc/resolv.conf.head can replace this line
domain circa.ufl.edu
nameserver 128.227.8.88
nameserver 128.227.128.24
# /etc/resolv.conf.tail can replace this line
|
which is the nameserver that my windows server box is. And no I don't have acces to the ufdc01 logs or anything outside of using to join the domain. |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Tue Oct 18, 2011 3:36 pm Post subject: |
|
|
Voilà!
Your computer object is there and the testjoin seem to work also!
wbinfo should also work now.
What else do you want to achieve?
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Tue Oct 18, 2011 3:40 pm Post subject: |
|
|
| hrmm will this be joined to AD every time I reboot? I also want to get it to where AD user can log in to the machine. There is also network drives that each user should have attached when they log in. |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Tue Oct 18, 2011 4:02 pm Post subject: |
|
|
Yes, it should be save to reboot and so on...
BUT that was just samba!! It is for letting windows users on your fileshares. You could also hook up squid to samba to get ADS authentication for a the proxy and so on.
BUT you will now have to configure pam and it's friends to be able to actually login through a shell.
I never used it myself and know that a friend of mine had hard times getting this to work properly.
I will ask him about his configs...
_________________
Power to the people! |
|
| Back to top |
|
|
treyb
n00b
Joined: 20 Sep 2011
Posts: 51
|
| Posted: Fri Oct 21, 2011 12:17 am Post subject: |
|
|
Ok Even though I get OK with the net ads testjoin command I am not able to log into with Active Directory users and still get "dns failed to update". 
Here is what I have done so far......
| Code: | File: /etc/nsswitch.conf
passwd: compat winbind
shadow: compat winbind
group: compat winbind
mkdir /home/UFAD
cd /etc/pam.d
mv system-auth system-auth-default
ln -s system-auth-winbind system-auth
|
| Code: | File: /etc/sudoers using visudo
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# Allow "Domain Admins" from the domain "DOMAIN" to run all commands
%UFAD\\UFAD\ Admins ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
|
I have no idea why it wont allow me to log in with my active directory account and I am not able to add the network drive.
I get:
| Code: | | mount //<server>/<share> /<mountpoint> -o username=<user>,password=<pass> |
And I get an error about cifs can not connect, Honestly I am at home and the computer is at work. Am I even in the right ballpark? |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Wed Oct 26, 2011 3:55 pm Post subject: |
|
|
Hi,
sorry for the delay!
My friend didn't made it with winbind/samba, he took ldap directly.
A service user (binddn in /etc/ldap.conf) of the AD is used here to access ldap, but I don't know if this is necessary, if anonymous read access is allowed to AD (which commonly is)!?
The domain is called domain.ltd and the DC is ldap.domain.ltd.
One special thing is the bas ou, where the access gets restricted to administrative users! Set it to dc=domain,dc=ltd to let every AD user log in.
Hope that helps!
| Code: | # /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
shadow: files ldap [NOTFOUND=return] db
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
|
| Code: | # /etc/nsswitch.ldap
#ident $Id: nsswitch.ldap,v 2.4 2003/10/02 02:36:25 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult files/dns first, we will need it to resolve the LDAP host. (If we
# can't resolve it, we're in infinite recursion, because libldap calls
# gethostbyname(). Careful!)
hosts: files dns ldap
# LDAP is nominally authoritative for the following maps.
services: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
# no support for netmasks, bootparams, publickey yet.
netmasks: files
bootparams: files
publickey: files
automount: files
# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases: files
sendmailvars: files
# Note: there is no support for netgroups on Solaris (yet)
netgroup: ldap [NOTFOUND=return] files
|
| Code: | # /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.TLD
dns_lookup_realm = true
dns_lookup_kdc = true
clockskew = 600
forwardable = true
proxiable = true
allow_weak_crypto = true
ccache_dir=/tmp
[realms]
DOMAIN.TLD = {
kdc = ldap.domain.tld:88
admin_server = ldap.domain.tld:749
default_domain = ldap.domain.tld
v4_instance_convert = {
domain = domain.tld
}
}
[domain_realm]
.domain.tld = DOMAIN.TLD
domain.tld = DOMAIN.TLD
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
|
| Code: | # /etc/ldap.conf -just the active part of the file...
# @(#)$Id: ldap.conf,v 2.49 2009/04/25 01:53:15 lukeh Exp $
host ldap.domain.ltd
# The distinguished name of the search base.
base ou=Administratve Usergroup,dc=domain,dc=ltd
binddn CN=directory search,OU=Service-Users,DC=domain,DC=ltd
bindpw topsecretuserpasswordhereinplaintext
scope sub
bind_policy soft
pam_password ad
nss_initgroups backlink
nss_schema rfc2307bis
nss_map_attribute rfc2307attribute mapped_attribute
nss_map_objectclass rfc2307objectclass mapped_objectclass
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
tls_checkpeer yes
tls_cacertfile /etc/ssl/ad.cert
tls_cacertdir /etc/ssl/certs
tls_ciphers TLSv1
tls_cert
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5cc_0
nss_reconnect_tries 4 # number of times to double the sleep time
nss_reconnect_sleeptime 1 # initial sleep value
nss_reconnect_maxsleeptime 16 # max sleep value to cap at
nss_reconnect_maxconntries 2 # how many tries before sleeping
|
| Code: | # /etc/openldap/ldap.conf
URI ldap://ldap.domain.ltd
BASE dc=domain,dc=ltd
HOST ldap.domain.ltd
TLS_CACERT /etc/ssl/certs/adcert.pem
TLS_REQCERT never
|
| Code: | # /etc/pam.d/system-auth
auth sufficient pam_ldap.so
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account sufficient pam_ldap.so
account required pam_unix.so
account optional pam_permit.so
password sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
|
| Code: | # /etc/security/groups.conf
* ; * ; * ; Al0000-2400 ; floppy, audio, cdrom, video, usb, plugdev, burning, users, portage
|
_________________
Power to the people! |
|
| Back to top |
|
|
|
Networking & Security
