Problems setting up windows domain login on opensuse 11.2 machine

I am new to linux so I’ve done a lot of learning in trying to figure this out, but I’m still nowhere.

I setup samba and LDAP client settings via YAST and manually edited the nsswitch.conf and login pam module yet I cannot login to my suse machine with my windows account. I believe I successfully joined to the PC to my domain as I can see the computer account in AD, but I still can’t seem to logon as my AD admin account.

According to the tutorial/tutorials I followed at the suse login prompt I should be able to type mywindowsdomain+mywindowsaccount and login (winbind separator = +), but I’m getting authentication failures every time.

When I do a “net lookup dc” I get back a list of some of my DCs.
I’m also able to ping the winbind daemon- if that info is helpful.

  • I also disabled the nscd daemon.

Thanks for any help. Here are the config files:

----smb.conf----

smb.conf is the main Samba configuration file. You find a full commented

version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

samba-doc package is installed.

Date: 2009-10-27

[global]

winbind separator = +

winbind cache time = 10

workgroup = mycompNetbiosName

passdb backend = ldapsam:ldap://10.100.100.100

printing = cups

printcap name = cups

printcap cache time = 750

cups options = raw

map to guest = Bad User

logon path = \\%L\profiles\.msprofile

logon home = \\%L\%U\.9xprofile

logon drive = P:

usershare allow guests = Yes

domain logons = no

domain master = No

netbios name = SUSE

security = domain

wins support = No

usershare max shares = 100

realm = mycomp.COM

template homedir = /home/%D/%U

winbind refresh tickets = yes

idmap backend = ldap:ldap://10.220.3.98

ldap admin dn = [email]me@mycomp.com[/email]

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

ldap machine suffix = ou=Machines

ldap passwd sync = Yes

ldap ssl = Off

ldap suffix = DC=mycomp,DC=com

ldap user suffix = ou=Users

idmap gid = 10000-20000

idmap uid = 10000-20000

password server = *

wins server = 

[homes]

comment = Home Directories

valid users = %S, %D%w%S

browseable = No

read only = No

inherit acls = Yes

[profiles]

comment = Network Profiles Service

path = %H

read only = No

store dos attributes = Yes

create mask = 0600

directory mask = 0700

[users]

comment = All users

path = /home

read only = No

inherit acls = Yes

veto files = /aquota.user/groups/shares/

[groups]

comment = All groups

path = /home/groups

read only = No

inherit acls = Yes

[printers]

comment = All Printers

path = /var/tmp

printable = Yes

create mask = 0600

browseable = No

[print$]

comment = Printer Drivers

path = /var/lib/samba/drivers

write list = @ntadmin root

force group = ntadmin

create mask = 0664

directory mask = 0775

Share disabled by YaST

[netlogon]

—pam.d/login–
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
session optional pam_ck_connector.so

I’ve been using OpenSuse connected do AD.

The easiest way is not to modify files by hand, yast use Yast. Do not configure LDAP (not needed, we use winbind), only use Windows client (I don’t know how exactly appears it in english).

Before joining it to AD:

  • Be sure you have your clock in time with AD ( more that 5 minutes difference and it won’t work).
    date
    sudo net time set -S server.domain.dom ← Synchronize your machine with AD.

  • Be sure your computer can see de Domain controler.
    ping server.domain.dom
    nslookup server.domain.dom

  • Be sure your FQDN hostname.domain.dom is assigned to public IP and not to 127.0.0.1.
    I can be cheched in yast - Net adjust (not sure how it’s in english).
    You also can do a “cat /etc/hosts”

  • Use Yast to join your computer to AD

if it works, try starting session.

Ok so I rejoined to the domain again and I’m getting REALLY close to making this work.

If I run “wbinfo -u” from my linux box I get a list of all my AD users in the following format: “MYDOMAIN+username”.

Yet if I try to logon to the suse machine with the following credentials:
username= MYDOMAIN+mywindowsusername

I get an error message something like “user unknown to underlying authenticate module”

Did I screw up the PAM settings?

On Fri September 10 2010 12:36 pm, red888 wrote:

>
> Ok so I rejoined to the domain again and I’m getting REALLY close to
> making this work.
>
> If I run “wbinfo -u” from my linux box I get a list of all my AD users
> in the following format: “MYDOMAIN+username”.
>
> Yet if I try to logon to the suse machine with the following
> credentials:
> username= MYDOMAIN+mywindowsusername
>
> I get an error message something like “user unknown to underlying
> authenticate module”
>
> Did I screw up the PAM settings?
>
>
red888;

For one thing you need:


security = ADS

in /etc/samba/smb.conf. “security = domain” is only for an NT or Samba3
domain. These documents from Samba.org might be of help.
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm
and
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Thanks. I’ll test this Monday and post the results.