Solved

Active directory and Debain

Posted on 2008-10-31
23
981 Views
Last Modified: 2013-12-24
Hello,
Is there any way to mach Windows 2003 active directory to debian.
I mean i want to create user in debian but password is reading from active directory.
Thanks
0
Comment
Question by:Aida2
  • 13
  • 8
23 Comments
 
LVL 29

Expert Comment

by:fosiul01
ID: 22849668
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22849691
0
 
LVL 1

Author Comment

by:Aida2
ID: 22853429
Hello,
Thanks for your sug.
I get errror :
kinit(v5): Improper format of Kerberos configuration file while initializing Kerberos 5 library
my /etc/krb5.conf is look like

[libdefaults]
        default_realm = test.local
        dns_lookup_realm = false
        dns_lookup_kdc = false
// clock_skew = 300
        ticket_lifetime = 24h
        forwardable = yes

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[logging]

        default = FILE:/var/log/krb5.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log

[realms]
        test.local = {
                kdc = ford.test.local
                admin_server = ford.test.local
                default_domain = test.local
                        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
        ANDREW.CMU.EDU = {
                kdc = vice28.fs.andrew.cmu.edu
                kdc = vice2.fs.andrew.cmu.edu
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }

[domain_realm]
        .kerbos.server = test.local
        .DOMAIN.LOCAL = test.local
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu

[login]
        krb4_convert = true
        krb4_get_tickets = false

_________________
Please Help
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854052
HI, i didnot implement this before.
but lets try to fix it .
which tutorial are you trying to follow and which command did you get this error
if you can tell me i could of look in to this
thanks
0
 
LVL 1

Author Comment

by:Aida2
ID: 22854123
I follow your first link
http://rubenleusink.com/debian-linux-filesharing-with-microsoft-active-directory-authentication-2008-10-07/
after install all package i edit the file krb5.conf then i ran the command (in step 4)
kint administrator@test.local and i have error

kinit(v5): Improper format of Kerberos configuration file while initializing Kerberos 5 library
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854207
While i look for other documents
have a look at this one
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/179142

also :
Error Message


Improper format of Kerberos configuration file

Reason Occurred
The Kerberos configuration file (krb5.conf) has invalid entries.

Solution
Make sure all the relations in the krb5.conf file are followed by the "=" sign and a value, and verify that the brackets are present in pairs for each subsection.


does those make any sense ??

 I am searching more..
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854228
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854266
if i check your krb5.conf and the tutorial

you have
[login]
        krb4_convert = true
        krb4_get_tickets = false

extra, is that allright ??
0
 
LVL 1

Author Comment

by:Aida2
ID: 22856201
Yes it was default i don't use krb4.
what about my domain and server in all example i can see they are write with uppercase.
And i don't.
0
 
LVL 1

Author Comment

by:Aida2
ID: 22865161
Hello,
Now it's work and i goin my server to domain. but in step 9 when i say wbinfo -u it should list
all doamin user but i get error :
Error looking up domain users

ANY IDEA
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22865377
hi yah sorry due to weaked i was in holiday

let me see again the tutorial
i will come back to you soon
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 29

Expert Comment

by:fosiul01
ID: 22865467
check this one

http://www.experts-exchange.com/Networking/Unix_Networking/Q_21492200.html

"Does your PDC know itself by name you call it in /etc/hosts ???"

from google, its sure its dns issue

let me check little more
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22865499
what about the user permission ??
from linux box you have connected to windoes AD, and from linux box you are trying to get domain user informationf from Windows AD , is not it ??

so the user name you are trying to use, does it have proper permission to do this query ??
0
 
LVL 1

Author Comment

by:Aida2
ID: 22865840
I try to ran the command   sudo net ads join -U "DOMAINADMIN" and administrator for "DOMAINADMIN":
sudo net ads join -U administrator
administrator's password:
[2008/11/03 11:34:48, 0] utils/net_ads.c:ads_startup(289)
  ads_connect: Interrupted system call
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22866040
check this one, its a dns issue

http://bbs.archlinux.org/viewtopic.php?id=31255

i will have a look more , just give me little more etime
0
 
LVL 29

Accepted Solution

by:
fosiul01 earned 63 total points
ID: 22866367
http://www.informit.com/content/images/0131882228/downloads/0131882228_book.pdf

page 441

just read , and check if this is same to your configuraion

the problem is : either password or dns
0
 
LVL 1

Author Comment

by:Aida2
ID: 22878151
Hello,
Thnks for your advise all is fine and working. How can i create usersand sync. with my ad?
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22878226
haahahah , you dont have to thank me, because, if it works , its working for you.

i realy never work with ubundo , i was just trying to help you with google search thats all.

about sync with AD let me have a look in google again, i will come back to you,

but that tutorial does not say anything about sync with AD ??

0
 
LVL 1

Author Comment

by:Aida2
ID: 22884505
I have debian not ubundo . when i say wbinfo -u in my debian i can see all users in my active directory
How can i sync user i mean should i create user in linux box then how can i say sync password with ad.
I have no user in my linux.
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22884538
omm tel me something

you can the usernname from AD
pick a username which is in AD, and try to logon with that username in ubundo, does it work ??
0
 
LVL 1

Author Comment

by:Aida2
ID: 22903505
Yes it's working, but user don't have permission to create a directory or doing anything
What the user can see it's his directory (don't have permission to open it) and printer.
0
 
LVL 3

Assisted Solution

by:coanda
coanda earned 62 total points
ID: 22957863
if you've set passwd and group in /etc/nsswitch.conf to use winbind then that's where the user/group will come from, which means if you're trying to create a directory the directory that it's being created in needs to have the appropriate permissions for your user/group that are from winbind. you can see what groups that your user is part of by:

$ groups user

once you know that you can change permissions on the directory to be what you want them to, linux file permissions are set using read/write/execute bits for user/group/other. for example, if you wanted to give the user and the group read and write permissions on a file/directory and only read for everyone outside of the group you would:

$ sudo chown ADUser.ADGroup /path/to/file
$ sudo chmod u=rw,g=rw,o=r /path/to/file
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now