Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

Hybrid View

  1. #1

    Default Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    At work I can join the following OS using YaST without any issues whatsoever:

    Leap 15.0
    Leap 15.1

    I can configure pam to allow console / xdm logins. pam_mount works as well.

    With Leap 15.2 I have to make adjustments to smb.conf to get it working. krb5.conf are identical between 15.2 and 15.1

    15.2 smb.conf offending section (bad):

    Code:
    idmap config * : backend = tdb
    idmap config * : range = 10000-20000
    idmap config ads : backend = rid
    idmap config ads : range = 20001-99999

    15.1 smb.conf equivalent section (good):

    Code:
    idmap gid = 10000-20000
    idmap uid = 10000-20000


    I cannot join 15.3 / 15.4 at all. 15.4 claims it cannot find the DC for our domain (I did check the SRV records, they are there, and it works for 15.0 ... 15.2 so ...).
    Also the YaST logfiles for krb5.conf and smb.conf show sections with "(null)" for the REALM config line. Something is not right. resolv.conf are identical for all versions.

    Code:
    # krb5.conf
    
     [realms]    (null) = {
        kdc = xxx.xxx.xxx (it's the right one)
        }
    Code:
    # smb.conf
    
    [global]
            create krb5 conf = no
            include = /etc/samba/dhcp.conf
            kerberos method = secrets and keytab
            realm = (null) <-- this is not right
            security = ads
            workgroup = ADS
            cups options = raw
    Yast error message

    Code:
    Failed to join domain: failed to find DC for domain XXX - The object was not found
    15.3 immediately complains

    Code:
    Cannot use the workgroup XXX for Linux authentication. Enter a domain or disable using SMB for Linux authentication.
    I would be glad if someone could try AD joining Leap clients. With tumbleweed I have identical issues as with 15.4

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    24,113
    Blog Entries
    1

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Quote Originally Posted by robert_spitzenpfeil View Post
    Code:
    [global]
            create krb5 conf = no
            include = /etc/samba/dhcp.conf
            kerberos method = secrets and keytab
            realm = (null) <-- this is not right
            security = ads
            workgroup = ADS
            cups options = raw
    Manually configure the 'realm = ' entry as required?
    https://wiki.samba.org/index.php/Set..._smb.conf_File
    https://wiki.archlinux.org/title/Act...iguration_file
    openSUSE Leap 15.4; KDE Plasma 5

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    24,113
    Blog Entries
    1

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Have you tried joining the AD manually? (Sorry I can only offer general advice here as I do not have a domain environment.)
    openSUSE Leap 15.4; KDE Plasma 5

  4. #4

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Not really successfully. I've managed to "semi-join" using "realm" (part of realmd package). Now it claims to be a member server, but the LDAP server IP is unset. Very unhappy. "sssd" appears to be in some sort of startup / crash loop.
    Using net ads join + winbind also did something, but essentially it ain't working for me.

  5. #5
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,226

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Code:
    [global]
            security = ADS
            realm = DOMAINHERE
            workgroup = WORKGROUPHERE
            log file = /var/log/samba/%m.log
            kerberos method = secrets and keytab
            client signing = yes
            min protocol = SMB3
            disable spoolss = yes
            max protocol = SMB3
            winbind use default domain = yes
            winbind enum users = Yes
            winbind enum groups = Yes
            winbind offline logon = yes
            winbind expand groups = 2
            template homedir = /home/%D/%U
            template shell = /bin/bash
            usershare allow guests = No
            winbind refresh tickets = yes
            max open files = 940790
            ea support = yes
            lm announce = yes       
            local master = no
            domain master = no
            case sensitive = true
            use sendfile = yes
            large readwrite = yes
            getwd cache = true
            block size = 262144
            idmap gid = 10000-20000
            idmap uid = 10000-20000
    No problems with 2016/2019 domain here.

    AD DNS is used.
    .: miuku @ #opensuse @ irc.libera.chat

  6. #6

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Did you joing with YaST?

    I've progressed a bit further. After completely disabling apparmor, I can join our domain with YaST. Still winbind auth fails...

  7. #7
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,226

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Quote Originally Posted by robert_spitzenpfeil View Post
    Did you joing with YaST?
    Yes, no issues.

    Tested with fresh 15.3 VM in VMware, bog standard 2019 DC's, DNS hosted on the DCs themselves and SUSE box has both set via resolv.conf.

    You're not using .local as the domain name by the way? That might cause issues.

    Fresh box;
    YAST > Network Services > Windows Domain Membership
    Type domain.fi
    [x] Use SMB Information for Linux Authentication
    [x] Create Home Directory on Login
    [x] Offline Authentication
    [x] Single Sign-on for SSH


    YAST wants to install krb5-client.. wait a moment.

    "This host is not a member of the domain <SOMETHING>.

    Join the domain <SOMETHING>

    Yes > Username Domain Admin + Pass > Domain <SOMETHING> joined successfully > Machine account successfully created and net getdomainsid gives proper SID for machine, net ads info gives proper info.
    .: miuku @ #opensuse @ irc.libera.chat

  8. #8

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    No. I use our official domain name. DNS resolvable and all. It works up until Leap 15.2 (with smb.conf fix). I will check if 15.3 works with apparmor off. The last test was with tumbleweed.

  9. #9

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Hmmm...

    For me 15.3 has some issues with "SambaAD.pm(SamaAD::GetRealm)", which returns "(null)" in my case.

    Code:
    #y2log
    
    2022-05-19 18:29:05 <1> XXX.client-fqdn(1858) [Perl] modules/SambaAD.pm(SambaAD::GetADS):112 get ads: workgroup: "FQDN"
    2022-05-19 18:29:05 <1> XXX.client-fqdn(1858) [Python] modules/SambaAPI.py(GetLDAPDS):30 Found LDAP/DS server "XXX.DC.FQDN" via cldap ping
    2022-05-19 18:29:06 <1> XXX.client-fqdn(1858) [Perl] modules/SambaAD.pm(SambaAD::GetADS):232 returning server: "XXX.DC.FQDN"
    2022-05-19 18:29:06 <1> XXX.client-fqdn(1858) [Python] modules/SambaAPI.py(ADDomain2Workgroup):42 workgroup: ADS
    2022-05-19 18:29:06 <1> XXX.client-fqdn(1858) [Perl] modules/SambaAD.pm(SambaAD::GetRealm):300 realm: (null) <-- this should be "FQDN" (as with 15.0 / 15.1 / 15.2)

  10. #10

    Default Re: Joining a windows domain using YaST - fundamental changes since Leap 15.2 / .3 / .4 ?

    Said perl module also tries to create a "dummy-conf" for getting info on the "realm". That file is empty :-(

    Fresh install of 15.3 - apparmor off - firewall off - I can ping our domain - I can do DNS lookups of the domain, DCs and so forth.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •