Cannot log into Active Directory domain - but klist works

sinayion · August 6, 2014, 1:40pm

Hi all,

I have installed openSUSE 13.1, with KDE, and linked it to my company’s AD domain via yast. I have successfully a kerberos ticket via

root ~ # kinit xxx.xxx
Password for xxx.xxx@xxx.ORG: 
Warning: Your password will expire in 5 days on Mon Aug 11 17:58:09 2014
root ~ # klist
Ticket cache: DIR::/run/user/0/krb5cc/tktX0tH8P
Default principal: xxx.xxx@xxx.ORG

Valid starting     Expires            Service principal
08/06/14 12:31:37  08/06/14 22:31:37  krbtgt/xxx.ORG@xxx.ORG
        renew until 08/07/14 12:31:33

However, I cannot log in to the system via KDM; I can select the correct domain in the relevant drop-down menu, but if I try to log in, I get a “Login failed” error.

I would like to add that “wbinfo -u” gives a list of the domain users, and I can successfully view AD shares.

What else can I try? I’ve googled for this, and haven’t found anything obvious. What log files can I read on my system?

Thanks

robin_listas · August 6, 2014, 2:04pm

On 2014-08-06 13:46, sinayion wrote:
> However, I cannot log in to the system via KDM; I can select the correct
> domain in the relevant drop-down menu, but if I try to log in, I get a
> “Login failed” error.

Just in case, if the AD domain ends in “.local”, you have to stop
zeroconf services (avahi) in Linux. If it is not, ignore this.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

sinayion · August 6, 2014, 2:48pm

I have kinda figured this out. Apparmor was the culprit! I checked /var/log/messages and found

apparmor="DENIED" operation="mknod" parent=2958 profile="/usr/sbin/winbindd" name="/var/cache/krb5rcache/xxx--xxx-044_10000" pid=2988 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=10000 ouid=10000

So I set the above winbindd profile to “complain” in Apparmor, and now I can log in with my AD credentials. When I get time off work, I’ll try finding out everything that I need to add tot he profile to make it work.

Very weird that this is the default behaviour, though.

robin_listas · August 6, 2014, 3:18pm

On 2014-08-06 14:56, sinayion wrote:
>
> I have kinda figured this out. Apparmor was the culprit! I checked
> /var/log/messages and found

Wow.

> Very weird that this is the default behaviour, though.

Please report in Bugzilla.

openSUSE:Submitting bug reports

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

sinayion · August 6, 2014, 3:51pm

That’s the plan I am a QA Test Lead by day, so I’m used to this xD

I think I have found a similar bug too, that I may just need to add a comment to it: https://bugzilla.novell.com/show_bug.cgi?id=851131#c0

robin_listas · August 6, 2014, 11:03pm

On 2014-08-06 15:56, sinayion wrote:

> That’s the plan I am a QA Test Lead by day, so I’m used to this xD

> I think I have found a similar bug too, that I may just need to add a
> comment to it: https://bugzilla.novell.com/show_bug.cgi?id=851131#c0

It seems related, yes.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)