Hi,
As I have the chance to play both sides of the fence, I’m trying to join
a 12.1 openSUSE machine to an AD runing in Windows 2008 server. We
control of the entire network, and we are the IT personnel in training,
lets say. The “entire network” consists of one windows 2008 machine and
one linux machine, plus one virtual Windows 7 machine, and one router.
So I fire the Windows Domain Membership module in YaST. It simply can
not join the domain!
We do not find any error event in the windows log, apparently the
user/pass is accepted.
I’m following the documented method:
> http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.security.ad.html
I have tried with firewall down, or set to internal, and internal not
protected.
I find instructions in
http://community.spiceworks.com/how_to/show/1958 for doing it manually.
Apparently, the first step is matching the clocks:
> linux:~ # ntpdate antonaca-servidor.antonaca.local
> Error resolving antonaca-servidor.antonaca.local: Name or service not known (-2)
> 20 Feb 18:50:32 ntpdate[3602]: Can't find host antonaca-servidor.antonaca.local: Name or service not known (-2)
> 20 Feb 18:50:32 ntpdate[3602]: no servers can be used, exiting
> linux:~ # ^C
> linux:~ # host antonaca-servidor.antonaca.local
> antonaca-servidor.antonaca.local has address 192.168.2.106
> antonaca-servidor.antonaca.local has address 192.168.59.1
> antonaca-servidor.antonaca.local has address 192.168.232.1
> linux:~ #
The windows machine is indeed running the clock service, so my guess is
that the windows time service is not an standard NTP service. What a
surprise. I have been unable to locate (google) information on how to
enable such a service in Windows, only about how to synchronize windows
with an external server.
I have to set the time in my linux machine with an external NTP service,
and hope that the Windows machine does the same. Visually both clocks
have similar time, at lest within 20 seconds or so.
Next manual step is kerberos. The instructions I’m following say:
3 Configure Keberos by editing /etc/krb.conf
[libdefaults]
default_realm = YOUR.DOMAIN
ticket_lifetime = 24h
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
YOUR.DOMAIN= {
kdc = AD.your.domain:88
admin_server = AD.your.domain:749
default_domain = YOUR.DOMAIN
}
[domain_realm]
..your.domain = YOUR.DOMAIN
Your.domain = YOUR.DOMAIN
4 Test Kerberos by generating a ticket
SQUID:~# sudo kinit administrateur
Password for administrateur@YOUR.DOMAIN:
If all went well you should get a response like this:
SQUID:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrateur@YOUR.DOMAIN
Valid starting Expires Service principal
01/18/11 17:49:33 01/19/11 03:49:36 krbtgt/YOUR.DOMAIN@YOUR.DOMAIN
renew until 01/19/11 17:49:33
No go. I also try the yast module for configuring kerberos client:
Default domain: antonaca.local
Default realm: ANTONACA.LOCAL
KDC server address: antonaca-servidor.antonaca.local
Advanced settings: nothing changed.
yast configures /etc/krb5.conf. I try:
> linux:~ # kinit administrator@antonaca.local
> kinit: Cannot resolve network address for KDC in realm "antonaca.local" while getting initial credentials
> linux:~ # kinit administrador@antonaca.local
> kinit: Cannot resolve network address for KDC in realm "antonaca.local" while getting initial credentials
> linux:~ #
> linux:~ # host antonaca.local
> antonaca.local has address 192.168.2.106
> antonaca.local has address 192.168.232.1
> antonaca.local has address 192.168.59.1
> linux:~ #
So, we are stuck there.
In YaST Windows Domain Membership module, the sequence now is:
start module. Configure:
Domain: antonaca.local
X Use smb information for linux atuthentication (tried als without
ticking that)
X create Home directory on Login
X offline authentication
X Single sign-on for ssh
In expert settings, just disable “retrieve wins server via dhcp”,
because the IP is fixed. I do not know where to setup the IP of the wins
server, which is active in the windows machine. Tried both “use WINS for
hostname resolution” and not.
When I click accept, first it tries to verify domain membership, next
workgroup (why workgroup?), which takes about half a minute. Then a box
says that the host is not a member of the domain, and asks if I want to
join. I answer yes, and a “closed” window (a window sized to height
almos zero, unreadable), which I have to resize, prompts for domain user
and password. I enter them (in Spanish, Administrador, not
Administrator, but we tried both). There is also a button to obtain list
of “machine account OU”, wich returns empty. on accept, it takes a
longish time, then it fails with message: “Failed to join domain: failed
to connect to AD: operations error”. The windows event log shows no error.
This error leaves no exit way except cancel the configuration and lose
changes.
So, the main problem appears to be kerberos refusing to authenticate,
and it seems to be a Linux problem. Where do I look?
Hold on, it is working!
A colleague, intrigued by our problems, installed ubuntu live in his
windows 2008 server. Found a post saying to disable avahi, because it
interferes with .local searches.
> https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/205236
···············.
Ubuntu (like Apple) uses Zeroconf for simple service discovery on LAN,
and this makes use of the .local domain. On the other hand, Microsoft AD
won’t work correctly if its domain name is not served by its own DNS.
Using .local for a domain name is therefore a recipe for trouble [1].
If for some reason you have to join an AD domain called
“something.local”, then you want to disable Zeroconf because the two
won’t work together. You want the .local DNS domain to be served
primarily by the Microsoft DNS and not by Zeroconf. So you edit the
/etc/nsswitch.conf file accordingly.
···············.
So, I stopped services rcavahi-daemon and rcavahi-dnsconfd, and it
worked and fast!
Our documentation doesn’t say anything about this.
–
Cheers / Saludos
Carlos E. R.