Suse Authentication in Windows 2008 Active Directory

Hello,

I am trying to set up a network with a Windows 2008 Server, using AD, I'm trying to authenticate in Suse with a Windows username( username@windowsad...), for it to work I have to have the user created both in the Windows AD and in Linux,it shouldn't have to be like this, I think. 

I gave each a different password and I'm logging in with the Windows password, so I know it is getting information from the AD, but it takes forever to log in, around 5 minutes, and this error keeps popping up meanwhile,

Apr 2 18:33:15 Susy sshd[3839]: nss_ldap: failed to bind to LDAP server ldap:// 10.154.59.51: Invalid credentials
Apr 2 18:33:15 Susy sshd[3839]: nss_ldap: failed to bind to LDAP server ldap:// windowsad-dc.windows-ad.testes.loc/: Invalid credentials
Apr 2 18:33:15 Susy sshd[3839]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)…

I’m using kerberos alogside with ldap.

Any idea what is going on???

Thankyou!

Can u give me your configuration of your /etc/krb.conf ?

Here it goes,(krb5.conf),

[libdefaults]
default_realm = WINDOWS-AD.TESTES.LOC
clockskew = 300

default_realm = EXAMPLE.COM

[realms]
WINDOWS-AD.TESTES.LOC = {
kdc = WINDOWSAD-DC.windows-ad.testes.loc
default_domain = WINDOWS-AD.TESTES.LOC
admin_server = WINDOWSAD-DC.windows-ad.testes.loc
}
.windows-ad.testes.loc = {
kdc = 10.154.59.51
default_domain = windows-ad.testes.loc
admin_server = 10.154.59.51
}

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
addressless = false
debug = false
debug_sensitive = false
existing_ticket = false
initial_prompt = false
subsequent_prompt = false
validate = false
}

[domain_realm]
.windows-ad.testes.loc = .windows-ad.testes.loc
.WINDOWS-AD.TESTES.LOC = WINDOWS-AD.TESTES.LOC

Thanks!

Normally, you dont have to create each user on both linux and windows machine. As from your krb5.conf, the setting is ok. Linux Operating system use winbind services to authenticate with AD machine. In your /etc/nsswitch.conf,you should have something like this

passwd: files compact winbind
group: files compact winbind

  1. winbind and samba services should be running.
    #/etc/init.d/winbind status or /etc/init.d/smb status

2.Make sure u activate kerberos client by Go to Yast Control Centre -> Network Services -> Kerberos Client. Choose use kerberos client.

  1. After u activate kerberos client, try to test kerberos installation:

    kinit administrator

  2. Key in your AD administrator password

  3. Linux machine should join windows domain account

    net ads join -U administrator

  4. Test that Samba is communicating with the Active Directory domain with check whether winbind is enumerating users and groups.

wbinfo -t (it should response with ‘checking the trust secret via RPC calls succeeded’)

Test whether we are authenticating against Windows Active Directory:
wbinfo -u

  1. If u need the configuration in /etc/samba/smb.conf please let me know…

On Sat, 2009-04-11 at 02:26 +0000, mahadzar81 wrote:
> Normally, you dont have to create each user on both linux and windows
> machine. As from your krb5.conf, the setting is ok. Linux Operating
> system use winbind services to authenticate with AD machine. In your
> /etc/nsswitch.conf,you should have something like this
>
> passwd: files compact winbind
> group: files compact winbind

probably should be compat instead of compact right?

yup…i think so…