Solved

Active directory and Debain

Posted on 2008-10-31
23
968 Views
Last Modified: 2013-12-24
Hello,
Is there any way to mach Windows 2003 active directory to debian.
I mean i want to create user in debian but password is reading from active directory.
Thanks
0
Comment
Question by:Aida2
  • 13
  • 8
23 Comments
 
LVL 29

Expert Comment

by:fosiul01
ID: 22849668
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22849691
0
 
LVL 1

Author Comment

by:Aida2
ID: 22853429
Hello,
Thanks for your sug.
I get errror :
kinit(v5): Improper format of Kerberos configuration file while initializing Kerberos 5 library
my /etc/krb5.conf is look like

[libdefaults]
        default_realm = test.local
        dns_lookup_realm = false
        dns_lookup_kdc = false
// clock_skew = 300
        ticket_lifetime = 24h
        forwardable = yes

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[logging]

        default = FILE:/var/log/krb5.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log

[realms]
        test.local = {
                kdc = ford.test.local
                admin_server = ford.test.local
                default_domain = test.local
                        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }
        CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
        }
        DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
        }
        ANDREW.CMU.EDU = {
                kdc = vice28.fs.andrew.cmu.edu
                kdc = vice2.fs.andrew.cmu.edu
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }

[domain_realm]
        .kerbos.server = test.local
        .DOMAIN.LOCAL = test.local
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu

[login]
        krb4_convert = true
        krb4_get_tickets = false

_________________
Please Help
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854052
HI, i didnot implement this before.
but lets try to fix it .
which tutorial are you trying to follow and which command did you get this error
if you can tell me i could of look in to this
thanks
0
 
LVL 1

Author Comment

by:Aida2
ID: 22854123
I follow your first link
http://rubenleusink.com/debian-linux-filesharing-with-microsoft-active-directory-authentication-2008-10-07/
after install all package i edit the file krb5.conf then i ran the command (in step 4)
kint administrator@test.local and i have error

kinit(v5): Improper format of Kerberos configuration file while initializing Kerberos 5 library
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854207
While i look for other documents
have a look at this one
https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/179142

also :
Error Message


Improper format of Kerberos configuration file

Reason Occurred
The Kerberos configuration file (krb5.conf) has invalid entries.

Solution
Make sure all the relations in the krb5.conf file are followed by the "=" sign and a value, and verify that the brackets are present in pairs for each subsection.


does those make any sense ??

 I am searching more..
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854228
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22854266
if i check your krb5.conf and the tutorial

you have
[login]
        krb4_convert = true
        krb4_get_tickets = false

extra, is that allright ??
0
 
LVL 1

Author Comment

by:Aida2
ID: 22856201
Yes it was default i don't use krb4.
what about my domain and server in all example i can see they are write with uppercase.
And i don't.
0
 
LVL 1

Author Comment

by:Aida2
ID: 22865161
Hello,
Now it's work and i goin my server to domain. but in step 9 when i say wbinfo -u it should list
all doamin user but i get error :
Error looking up domain users

ANY IDEA
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22865377
hi yah sorry due to weaked i was in holiday

let me see again the tutorial
i will come back to you soon
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 29

Expert Comment

by:fosiul01
ID: 22865467
check this one

http://www.experts-exchange.com/Networking/Unix_Networking/Q_21492200.html

"Does your PDC know itself by name you call it in /etc/hosts ???"

from google, its sure its dns issue

let me check little more
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22865499
what about the user permission ??
from linux box you have connected to windoes AD, and from linux box you are trying to get domain user informationf from Windows AD , is not it ??

so the user name you are trying to use, does it have proper permission to do this query ??
0
 
LVL 1

Author Comment

by:Aida2
ID: 22865840
I try to ran the command   sudo net ads join -U "DOMAINADMIN" and administrator for "DOMAINADMIN":
sudo net ads join -U administrator
administrator's password:
[2008/11/03 11:34:48, 0] utils/net_ads.c:ads_startup(289)
  ads_connect: Interrupted system call
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22866040
check this one, its a dns issue

http://bbs.archlinux.org/viewtopic.php?id=31255

i will have a look more , just give me little more etime
0
 
LVL 29

Accepted Solution

by:
fosiul01 earned 63 total points
ID: 22866367
http://www.informit.com/content/images/0131882228/downloads/0131882228_book.pdf

page 441

just read , and check if this is same to your configuraion

the problem is : either password or dns
0
 
LVL 1

Author Comment

by:Aida2
ID: 22878151
Hello,
Thnks for your advise all is fine and working. How can i create usersand sync. with my ad?
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22878226
haahahah , you dont have to thank me, because, if it works , its working for you.

i realy never work with ubundo , i was just trying to help you with google search thats all.

about sync with AD let me have a look in google again, i will come back to you,

but that tutorial does not say anything about sync with AD ??

0
 
LVL 1

Author Comment

by:Aida2
ID: 22884505
I have debian not ubundo . when i say wbinfo -u in my debian i can see all users in my active directory
How can i sync user i mean should i create user in linux box then how can i say sync password with ad.
I have no user in my linux.
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22884538
omm tel me something

you can the usernname from AD
pick a username which is in AD, and try to logon with that username in ubundo, does it work ??
0
 
LVL 1

Author Comment

by:Aida2
ID: 22903505
Yes it's working, but user don't have permission to create a directory or doing anything
What the user can see it's his directory (don't have permission to open it) and printer.
0
 
LVL 3

Assisted Solution

by:coanda
coanda earned 62 total points
ID: 22957863
if you've set passwd and group in /etc/nsswitch.conf to use winbind then that's where the user/group will come from, which means if you're trying to create a directory the directory that it's being created in needs to have the appropriate permissions for your user/group that are from winbind. you can see what groups that your user is part of by:

$ groups user

once you know that you can change permissions on the directory to be what you want them to, linux file permissions are set using read/write/execute bits for user/group/other. for example, if you wanted to give the user and the group read and write permissions on a file/directory and only read for everyone outside of the group you would:

$ sudo chown ADUser.ADGroup /path/to/file
$ sudo chmod u=rw,g=rw,o=r /path/to/file
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

SQL Command Tool comes with APEX under SQL Workshop. It helps us to make changes on the database directly using a graphical user interface. This helps us writing any SQL/ PLSQL queries and execute it on the database and we can create any database ob…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now