Active Directory Authentication Woes

Hey All,
Relative Suse newb here, so be patient with me :wink:

I am in a near completely Windows shop (School District), and am trying to show value for having Linux within our environment as something other than a Web Server or a MySQL box (as compared to the AS400 DB2 database we use for our big-iron stuff).

I have been a long-time fan of Suse, and figured I would give it a try again seeing some of the incredible changes over the past few years. Anyways… my trouble begins at the logon screen.

During the course of the install, I selected the option to be a member of the domain (which is an Active Directory 2003 domain), and entered the appropriate credentials, and it responded in kind that the machine was a domain member. I went through the whole process, and selected our domain which appeared in it’s NetBios form (stripping the .LOCAL), and was immediately met by “Unable to authenticate user”. Regardless of which format I tried to login with - CCSD\username, ccsd\username, username@CCSD, username@CCSD.LOCAL - uppercase, lowercase… etc… none of them budged, and immediately responded with the above error - as though it wasn’t even trying to query Active Directory.

I proceed to log in as root (yeah yeah… kill me now grin), and went through the whole process in YAST with the Kerberos client, Samba Client, LDAP Client, etc… There was apparently an error with the NTP server which I got resolved.

Making an incredibly long story a bit shorter, I did the whole smb stop (from /etc/init.d), nmd stop, kinit username (which properly resolved to the domain), net ads join -Uusername - which joined properly, but gave me the DNS update failure (secure Active Directory DNS updates are my likely issue there), and then restarted smb and nmb.

I am able to do the “Connect to Server” to my Home Directory on the Active Directory server without having to provide my domain credentials (which I supplied in the kinit).

net ads status correctly returns a monstrous string of attributes for the machine account that was joined to the domain (and yes, the machine object exists in the OU it should be in).

net ads info returns:


LDAP server: X.X.X.X
LDAP server name: codomjr.CCSD.LOCAL
Realm: CCSD.LOCAL
Bind Path: dc=CCSD,dc=LOCAL
LDAP port: 389
Server time: Thu, 26 Mar 2009 15:14:51 EDT
KDC server: X.X.X.X
Server time offset: 0

net ads lookup returns:


Information for Domain Controller: X.X.X.X

Response Type: SAMLOGON
GUID: c36a7512-b666-454b-9397-0ba961f4ad1f
Flags:
	Is a PDC:                                   no
	Is a GC of the forest:                      no
	Is an LDAP server:                          yes
	Supports DS:                                yes
	Is running a KDC:                           yes
	Is running time services:                   yes
	Is the closest DC:                          yes
	Is writable:                                yes
	Has a hardware clock:                       no
	Is a non-domain NC serviced by LDAP server: no
Forest:			CCSD.LOCAL
Domain:			CCSD.LOCAL
Domain Controller:	codomjr.CCSD.LOCAL
Pre-Win2k Domain:	CCSD
Pre-Win2k Hostname:	CODOMJR
Server Site Name :		DistrictOffice
Client Site Name :		DistrictOffice
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

The server it is currently pointing at is the secondary DC for the District Office. I have tried pointing it directly at the primary with the same results - with the exception being that it does register as a PDC and a GC.

wbinfo -u returns the 40,000 some-odd users I have, and wbinfo returns all of the proper groups that are available on the Domain.

klist properly returns:


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email]username@CCSD.LOCAL[/email]

Valid starting     Expires            Service principal
03/26/09 14:52:09  03/27/09 00:52:12  krbtgt/CCSD.LOCAL@CCSD.LOCAL
	renew until 03/27/09 00:52:09
03/26/09 14:52:48  03/27/09 00:52:12  codomjr$@CCSD.LOCAL
	renew until 03/27/09 00:52:09


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

contents of my smb.conf is as follows:

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2008-12-03
[global]
	workgroup = CCSD
	password server = CODOMJR.CCSD.LOCAL
	realm = CCSD.LOCAL
	security = ADS
	netbios name = COISRM20-01SU

	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

	#winbind section	
	idmap backend = rid:DOMAIN=10000-20000
	idmap gid = 10000-20000
	idmap uid = 10000-20000

	allow trusted domains = no

	winbind refresh tickets = yes
	winbind use default domain = yes
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes

	template homedir = /home/%D/%U
	template shell = /bin/bash

	guest account = nobody
	map to guest = bad user

	#set the log level
	log level = 3

	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw

	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
	
	#add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
	local master = No
	domain master = No
	preferred master = No
	
#	passdb backend = smbpasswd
	usershare allow guests = No
	client use spnego = yes
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

## Share disabled by YaST
# [netlogon]

[nt]
	comment = NT Drive
	inherit acls = Yes
	path = /windows/C
	read only = No

Contents of my krb5.conf is as follows:

[libdefaults]
	default_realm = CCSD.LOCAL
	clockskew = 300
#	default_realm = EXAMPLE.COM 

[realms]
CCSD.LOCAL = {
	kdc = codomjr.ccsd.local
	default_domain = ccsd.local
	admin_server = codomjr.ccsd.local
}
#	EXAMPLE.COM = {
#                kdc = kerberos.example.com
#		admin_server = kerberos.example.com
#	}

[logging]
	kdc = FILE:/var/log/krb5/krb5kdc.log
	admin_server = FILE:/var/log/krb5/kadmind.log
	default = SYSLOG:NOTICE:DAEMON
[domain_realm]
	.ccsd.local = CCSD.LOCAL
	.CCSD.LOCAL = CCSD.LOCAL
[appdefaults]
pam = {
	ticket_lifetime = 1d
	renew_lifetime = 1d
	forwardable = true
	proxiable = false
	retain_after_close = false
	minimum_uid = 1
	try_first_pass = true
	clockskew = 300
	external = sshd
	use_shmem = sshd
}

Contents of the common-auth file in /etc/pam.d:


#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth	required	pam_env.so	
auth	sufficient	pam_unix2.so	
auth	sufficient	pam_krb5.so	use_first_pass 
auth	required	pam_winbind.so	use_first_pass

Pam and Samba are the real pains here… if I configure either of them through YAST, it destroys anything I had manually placed in there. There are several options - to include “Security = ADS” that don’t exist, or aren’t available on my YAST configuration pages.

I have verified that my account exists in the smbpasswd file and is in the format of CCSD\username.

The main thing that isn’t working here is just the act of logging into Active Directory from the login screen. Perhaps this is just plain stupidity error on my behalf, but I’ve pretty much exhausted the extent of my knowledge and Googling ability. It seems that several things have changed dramatically with SSO and Microsoft over the past few years. I am not able to find the “Identity and Access Management for Unix” that MS touted on the RC2 of Windows 2003 (which I am running the Service Pack 1 version of). I did manage to find what seemed to be a deprecated, but semi-functional version of “Services for Unix 3.5”.

Bottom line - could someone point me in the right direction with how to properly logon to Suse 11.1 using my Active Directory 2003 credentials please?
Thanks in advance!!

Well, didn’t make any headway, so I opted to try out the OpenLikewise software package that sounds incredibly promising - especially since we have a mixed environment here - to include Macs as well as Linux boxes residing on a Windows 2003 Domain.

I ran the base installer, followed the basic setup instructions, and went to join the domain which gave me the thumbs-up. I was prompted to reboot (it apparently had to make changed to dbus), and from that point on, have been unable to login to my box. The startup is riddled with loads of missing account ‘root’. I couldn’t log in as root at all. I ‘could’ log in as my original local account, but it had completely changed my profile so I had “0” access to the local machine other than read only. The local profile now looked to resemble a UNC path rather than a local profile path. I couldnd’t even mount a thumb-drive to retrieve any of my docs. Suse repair CD was unable to do anything at all regardless of the options I chose. I’m sure I had something screwy on my machine prior to the Likewise install, but man… It sounds like a fantastic product, just make sure you back your stuff up prior to install.

If at all possible, I am in the process of reloading, and if someone gets a wild hair, and could throw some input as to my original problem, it would be greatly appreciated.
Thanks!

HI there,
there’s some wrong configuration on kerberos setting. Try to reboot the machines and run linux on level 1. From there,you can login to linux root user. Try to disabled the kerberos client first.

Let me know the result…Thanks

Hrmmm - sorry for coming late to this party, but I was trolling for other kerberos info and stumbled onto this posting - I see it didn’t contain a full answer so I thought perhaps I can help someone out, if not the original poster.

Your original post made one little note that really caught my attention and gave me an “AH HA! - I can fix that!”. Your school’s domain ends in .LOCAL?? If that is the case, your openSUSE, by default, has multi-Cast DNS enabled (avahi). A little extra info can be found here. Add to that the default MS documentation that recommends using .local for lack of any better / other Active Directory configuration and you have a conflict. To get around this and properly authenticate / do other friendly AD things you need to do the following:

  1. Open a terminal and switch to root (su)
  2. Run the following two commands to stop the avahi services:
    chkconfig -d avahi-dnsconfd
    chkconfig -d avahi-daemon
  3. vi /etc/nsswitch.conf
  4. You need to find the “hosts:” line and remove the following text - “mdns4_minimal [NOTFOUND=return]”. Essentially, you should only have “hosts: files dns” and maybe “wins” on that line. Save the file (:wq)
  5. Restart samba and winbind. (rcsmb restart && rcwinbind restart)

This did it for me on all of the openSUSE boxes we have running in my AD environment. I’m still trying to figure out the AutoYast files so I can deploy images without these services enabled.

Hope I’m not to late to have helped you or someone else…

Regards,
Frank

Thank you, thank you thank you :slight_smile: