• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1503
  • Last Modified:

Problem of integrating windows AD with Samba of Ubuntu

I was trying to integrate windows Acitive Directory with Ubuntu 7.10 and I have followed this article:
http://www.ubuntugeek.com/how-to-integrate-windows-active-directory-and-samba-in-ubuntu.html#comment-152005
I did everything it suggested and restarted the Ubuntu by the end, and then I was stuck.
I got the message below and just couldn't login to Ubuntu again.
---------------------
kinit: name_to_dex_t(/dev/disk/by-uuid/2c13fe59-38c5-4462-990d-e7a01307beca) = sda5(8,5)
kinit: trying to resume from /dev/disk/by-uuid/2c13fe59-38c5-4462-990d-e7a01307beca
kinit: No resume image, doing normal boot...

Ubuntu 7.10 svubuntu tty1
---------------------

When I try to log in it just pauses like I have type in the wrong password and the says "Login incorrect" and then goes back to Login prompt. I have tried "root" account and normal user account, none of them working.

I can still log in to the Ubuntu recovery mode with root account.

Any help would be much appreciated.


0
brothertu
Asked:
brothertu
  • 6
  • 5
1 Solution
 
coandaCommented:
You could try doing a file system check, as root do:

$ init 1
$ e2fsck -fp /dev/sda5

The -f will force a full check and -p is the option for auto-repair.
0
 
brothertuAuthor Commented:
Thanks.
Now I got error below:
e2fsck: bad magic number in super-block while trying to open /dev/sda5
the superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesyste (and not swap or ufs or something else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsck -b 8193 <device>

Any idea?
0
 
brothertuAuthor Commented:
I have to reinstall the Linux server and re-configure LDAP on it.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
coandaCommented:
just use the fsck utility for the file system that you're using. fsck.ext3 will work for ext3 and reiserfsck will do for a reiser file system.
0
 
coandaCommented:
How come you need LDAP? You can connect a Linux box to an AD domain without installing an LDAP client.
0
 
brothertuAuthor Commented:
Hi Coanda,
If you have a better way that can make me login to the Linux box with my windows domain account, that would be great.

That was what I have tried to do by following the article I posted.
Thanks.
0
 
coandaCommented:
I'll try to do a brief description of what I do to connect Linux machines to my AD, obviously for the documents listed below make sure to replace ds1 with your AD server and domain.local with the domain that you're using. Also, the case is important throughout what is described below.

First make sure that your /etc/hosts file contains an entry for your domain controller (I've used ds1 as a name in the steps below)

$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install samba samba-common smbfs
$ sudo vim /etc/samba/smb.conf

## /etc/samba/smb.conf:

------ start copy here ---------

[global]
  workgroup = DOMAIN
  password server = ds1.domain.local
  realm = DOMAIN.LOCAL
  security = ADS
  netbios name = srv

  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

  # winbind section
  idmap backend = rid:DOMAIN=10000-20000
  idmap uid = 10000-20000
  idmap gid = 10000-20000

  allow trusted domains = no

  winbind refresh tickets = yes
  winbind use default domain = yes
  winbind offline logon = false
  winbind enum users = yes
  winbind enum groups = yes

  template homedir = /home/%D/%U
  template shell = /bin/bash

  guest account = nobody
  map to guest = bad user

  # set the loglevel
  log level = 3

  create mask = 774
  directory mask = 775
  locking = yes

  # added this section so that I can share out the cdrom
  usershare owner only = false

------- end copy here --------

$ sudo apt-get install libpam-krb5 krb5-clients krb5-user libkrb5-dev

!!!Important, make sure that the system time of the server being connected matches that of the domain controller.

$ sudo vim /etc/krb5.conf

## /etc/krb5.conf:

------- start copy here --------

[libdefaults]
        default_realm = DOMAIN.LOCAL
        clockskew = 300

[realms]
        DOMAIN.LOCAL = {
                kdc = ds1.domain.local
                default_domain = domain.local
                admin_server = ds1.domain.local
        }

[domain_realm]
        .domain.local = DOMAIN.LOCAL

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 1
                try_first_pass = true
        }

------- end copy here --------

## /etc/nsswitch.conf

------- start copy here --------

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

------- end copy here --------

Contents of the various pam.d files:

$ sudo vim /etc/pam.d/common-account

account sufficient pam_winbind.so
account required pam_unix.so

$ sudo vim /etc/pam.d/common-auth

auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so

$ sudo vim /etc/pam.d/common-password

password required pam_unix.so nullok obscure min=4 max=8 md5

$ sudo vim /etc/pam.d/common-session

session required  pam_unix.so

$ sudo vim /etc/pam.d/samba

@include common-auth
@include common-account
@include common-session

Now start the services and connect to the domain

$ sudo /etc/init.d/samba stop
$ sudo /etc/init.d/winbind stop
$ sudo kinit administrator@DOMAIN.LOCAL
$ sudo net ads join -U administrator
$ sudo /etc/init.d/samba start
$ sudo /etc/init.d/winbind start

This usually works for me but sometimes there is some additional tooling around depending on the distribution.
0
 
brothertuAuthor Commented:
Thanks Coanda.
I have followed your instruction to configure all the related files.
And I can run this command with no error:
$ sudo kinit administrator@DOMAIN.LOCAL

I have also ran klist command to make sure I am getting the Kerberos ticket, and it looked good.

But this command failed:
$ sudo net ads join -U administrator
I got error below:
Host is not configured as a member server
Invalid configuration.  Exiting.
Failed to join domain: Invalid domain role

I remembered that I went this far last time and got the same error when tried to join the Linux box to  domain.



0
 
brothertuAuthor Commented:
I added following lines to the smb.conf file:
local master = no
domain master = no
preferred master = no
wins server = x.x.x.x

And now I can join the Linux box to domain with this command:
$ sudo net ads join -U administrator

I guess maybe I can try to login the Linux box with my domain account.
But I am not sure what the login name would be. Should I use this as login name?
 Username@domain.local

I did a quick try with it but failed with error " access denied", so it must be something as.

Any suggestion?
Many thanks
0
 
coandaCommented:
to list all of the users that winbind can see use the command "wbinfo -u" and to list the groups use "wbinfo -g", my systems only require me to log in using my username but I have sometimes during testing needed to use DOMAIN\username to get it to go.
0
 
brothertuAuthor Commented:
Yes!
This one worked for me:
DOMAIN\username

It's all good now. Thank you very much for your help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now