Hey All,
Relative Suse newb here, so be patient with me
I am in a near completely Windows shop (School District), and am trying to show value for having Linux within our environment as something other than a Web Server or a MySQL box (as compared to the AS400 DB2 database we use for our big-iron stuff).
I have been a long-time fan of Suse, and figured I would give it a try again seeing some of the incredible changes over the past few years. Anyways⌠my trouble begins at the logon screen.
During the course of the install, I selected the option to be a member of the domain (which is an Active Directory 2003 domain), and entered the appropriate credentials, and it responded in kind that the machine was a domain member. I went through the whole process, and selected our domain which appeared in itâs NetBios form (stripping the .LOCAL), and was immediately met by âUnable to authenticate userâ. Regardless of which format I tried to login with - CCSD\username, ccsd\username, username@CCSD, username@CCSD.LOCAL - uppercase, lowercase⌠etc⌠none of them budged, and immediately responded with the above error - as though it wasnât even trying to query Active Directory.
I proceed to log in as root (yeah yeah⌠kill me now grin), and went through the whole process in YAST with the Kerberos client, Samba Client, LDAP Client, etc⌠There was apparently an error with the NTP server which I got resolved.
Making an incredibly long story a bit shorter, I did the whole smb stop (from /etc/init.d), nmd stop, kinit username (which properly resolved to the domain), net ads join -Uusername - which joined properly, but gave me the DNS update failure (secure Active Directory DNS updates are my likely issue there), and then restarted smb and nmb.
I am able to do the âConnect to Serverâ to my Home Directory on the Active Directory server without having to provide my domain credentials (which I supplied in the kinit).
net ads status correctly returns a monstrous string of attributes for the machine account that was joined to the domain (and yes, the machine object exists in the OU it should be in).
net ads info returns:
LDAP server: X.X.X.X
LDAP server name: codomjr.CCSD.LOCAL
Realm: CCSD.LOCAL
Bind Path: dc=CCSD,dc=LOCAL
LDAP port: 389
Server time: Thu, 26 Mar 2009 15:14:51 EDT
KDC server: X.X.X.X
Server time offset: 0
net ads lookup returns:
Information for Domain Controller: X.X.X.X
Response Type: SAMLOGON
GUID: c36a7512-b666-454b-9397-0ba961f4ad1f
Flags:
Is a PDC: no
Is a GC of the forest: no
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: no
Is a non-domain NC serviced by LDAP server: no
Forest: CCSD.LOCAL
Domain: CCSD.LOCAL
Domain Controller: codomjr.CCSD.LOCAL
Pre-Win2k Domain: CCSD
Pre-Win2k Hostname: CODOMJR
Server Site Name : DistrictOffice
Client Site Name : DistrictOffice
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
The server it is currently pointing at is the secondary DC for the District Office. I have tried pointing it directly at the primary with the same results - with the exception being that it does register as a PDC and a GC.
wbinfo -u returns the 40,000 some-odd users I have, and wbinfo returns all of the proper groups that are available on the Domain.
klist properly returns:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email]username@CCSD.LOCAL[/email]
Valid starting Expires Service principal
03/26/09 14:52:09 03/27/09 00:52:12 krbtgt/CCSD.LOCAL@CCSD.LOCAL
renew until 03/27/09 00:52:09
03/26/09 14:52:48 03/27/09 00:52:12 codomjr$@CCSD.LOCAL
renew until 03/27/09 00:52:09
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
contents of my smb.conf is as follows:
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2008-12-03
[global]
workgroup = CCSD
password server = CODOMJR.CCSD.LOCAL
realm = CCSD.LOCAL
security = ADS
netbios name = COISRM20-01SU
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
#winbind section
idmap backend = rid:DOMAIN=10000-20000
idmap gid = 10000-20000
idmap uid = 10000-20000
allow trusted domains = no
winbind refresh tickets = yes
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
guest account = nobody
map to guest = bad user
#set the log level
log level = 3
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
#add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
local master = No
domain master = No
preferred master = No
# passdb backend = smbpasswd
usershare allow guests = No
client use spnego = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
## Share disabled by YaST
# [netlogon]
[nt]
comment = NT Drive
inherit acls = Yes
path = /windows/C
read only = No
Contents of my krb5.conf is as follows:
[libdefaults]
default_realm = CCSD.LOCAL
clockskew = 300
# default_realm = EXAMPLE.COM
[realms]
CCSD.LOCAL = {
kdc = codomjr.ccsd.local
default_domain = ccsd.local
admin_server = codomjr.ccsd.local
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.ccsd.local = CCSD.LOCAL
.CCSD.LOCAL = CCSD.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
clockskew = 300
external = sshd
use_shmem = sshd
}
Contents of the common-auth file in /etc/pam.d:
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_unix2.so
auth sufficient pam_krb5.so use_first_pass
auth required pam_winbind.so use_first_pass
Pam and Samba are the real pains here⌠if I configure either of them through YAST, it destroys anything I had manually placed in there. There are several options - to include âSecurity = ADSâ that donât exist, or arenât available on my YAST configuration pages.
I have verified that my account exists in the smbpasswd file and is in the format of CCSD\username.
The main thing that isnât working here is just the act of logging into Active Directory from the login screen. Perhaps this is just plain stupidity error on my behalf, but Iâve pretty much exhausted the extent of my knowledge and Googling ability. It seems that several things have changed dramatically with SSO and Microsoft over the past few years. I am not able to find the âIdentity and Access Management for Unixâ that MS touted on the RC2 of Windows 2003 (which I am running the Service Pack 1 version of). I did manage to find what seemed to be a deprecated, but semi-functional version of âServices for Unix 3.5â.
Bottom line - could someone point me in the right direction with how to properly logon to Suse 11.1 using my Active Directory 2003 credentials please?
Thanks in advance!!