Problem of integrating windows AD with Samba of Ubuntu

Posted on 2008-11-09
Last Modified: 2013-12-15
I was trying to integrate windows Acitive Directory with Ubuntu 7.10 and I have followed this article:
I did everything it suggested and restarted the Ubuntu by the end, and then I was stuck.
I got the message below and just couldn't login to Ubuntu again.
kinit: name_to_dex_t(/dev/disk/by-uuid/2c13fe59-38c5-4462-990d-e7a01307beca) = sda5(8,5)
kinit: trying to resume from /dev/disk/by-uuid/2c13fe59-38c5-4462-990d-e7a01307beca
kinit: No resume image, doing normal boot...

Ubuntu 7.10 svubuntu tty1

When I try to log in it just pauses like I have type in the wrong password and the says "Login incorrect" and then goes back to Login prompt. I have tried "root" account and normal user account, none of them working.

I can still log in to the Ubuntu recovery mode with root account.

Any help would be much appreciated.

Question by:brothertu
    LVL 3

    Expert Comment

    You could try doing a file system check, as root do:

    $ init 1
    $ e2fsck -fp /dev/sda5

    The -f will force a full check and -p is the option for auto-repair.
    LVL 1

    Author Comment

    Now I got error below:
    e2fsck: bad magic number in super-block while trying to open /dev/sda5
    the superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesyste (and not swap or ufs or something else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsck -b 8193 <device>

    Any idea?
    LVL 1

    Author Comment

    I have to reinstall the Linux server and re-configure LDAP on it.
    LVL 3

    Expert Comment

    just use the fsck utility for the file system that you're using. fsck.ext3 will work for ext3 and reiserfsck will do for a reiser file system.
    LVL 3

    Expert Comment

    How come you need LDAP? You can connect a Linux box to an AD domain without installing an LDAP client.
    LVL 1

    Author Comment

    Hi Coanda,
    If you have a better way that can make me login to the Linux box with my windows domain account, that would be great.

    That was what I have tried to do by following the article I posted.
    LVL 3

    Expert Comment

    I'll try to do a brief description of what I do to connect Linux machines to my AD, obviously for the documents listed below make sure to replace ds1 with your AD server and domain.local with the domain that you're using. Also, the case is important throughout what is described below.

    First make sure that your /etc/hosts file contains an entry for your domain controller (I've used ds1 as a name in the steps below)

    $ sudo apt-get update && sudo apt-get upgrade
    $ sudo apt-get install samba samba-common smbfs
    $ sudo vim /etc/samba/smb.conf

    ## /etc/samba/smb.conf:

    ------ start copy here ---------

      workgroup = DOMAIN
      password server = ds1.domain.local
      realm = DOMAIN.LOCAL
      security = ADS
      netbios name = srv


      # winbind section
      idmap backend = rid:DOMAIN=10000-20000
      idmap uid = 10000-20000
      idmap gid = 10000-20000

      allow trusted domains = no

      winbind refresh tickets = yes
      winbind use default domain = yes
      winbind offline logon = false
      winbind enum users = yes
      winbind enum groups = yes

      template homedir = /home/%D/%U
      template shell = /bin/bash

      guest account = nobody
      map to guest = bad user

      # set the loglevel
      log level = 3

      create mask = 774
      directory mask = 775
      locking = yes

      # added this section so that I can share out the cdrom
      usershare owner only = false

    ------- end copy here --------

    $ sudo apt-get install libpam-krb5 krb5-clients krb5-user libkrb5-dev

    !!!Important, make sure that the system time of the server being connected matches that of the domain controller.

    $ sudo vim /etc/krb5.conf

    ## /etc/krb5.conf:

    ------- start copy here --------

            default_realm = DOMAIN.LOCAL
            clockskew = 300

            DOMAIN.LOCAL = {
                    kdc = ds1.domain.local
                    default_domain = domain.local
                    admin_server = ds1.domain.local

            .domain.local = DOMAIN.LOCAL

            pam = {
                    ticket_lifetime = 1d
                    renew_lifetime = 1d
                    forwardable = true
                    proxiable = false
                    retain_after_close = false
                    minimum_uid = 1
                    try_first_pass = true

    ------- end copy here --------

    ## /etc/nsswitch.conf

    ------- start copy here --------

    passwd:         compat winbind
    group:          compat winbind
    shadow:         compat winbind

    hosts:          files dns mdns4
    networks:       files

    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files

    ------- end copy here --------

    Contents of the various pam.d files:

    $ sudo vim /etc/pam.d/common-account

    account sufficient
    account required

    $ sudo vim /etc/pam.d/common-auth

    auth sufficient
    auth sufficient nullok_secure use_first_pass
    auth required

    $ sudo vim /etc/pam.d/common-password

    password required nullok obscure min=4 max=8 md5

    $ sudo vim /etc/pam.d/common-session

    session required

    $ sudo vim /etc/pam.d/samba

    @include common-auth
    @include common-account
    @include common-session

    Now start the services and connect to the domain

    $ sudo /etc/init.d/samba stop
    $ sudo /etc/init.d/winbind stop
    $ sudo kinit administrator@DOMAIN.LOCAL
    $ sudo net ads join -U administrator
    $ sudo /etc/init.d/samba start
    $ sudo /etc/init.d/winbind start

    This usually works for me but sometimes there is some additional tooling around depending on the distribution.
    LVL 1

    Author Comment

    Thanks Coanda.
    I have followed your instruction to configure all the related files.
    And I can run this command with no error:
    $ sudo kinit administrator@DOMAIN.LOCAL

    I have also ran klist command to make sure I am getting the Kerberos ticket, and it looked good.

    But this command failed:
    $ sudo net ads join -U administrator
    I got error below:
    Host is not configured as a member server
    Invalid configuration.  Exiting.
    Failed to join domain: Invalid domain role

    I remembered that I went this far last time and got the same error when tried to join the Linux box to  domain.

    LVL 1

    Author Comment

    I added following lines to the smb.conf file:
    local master = no
    domain master = no
    preferred master = no
    wins server = x.x.x.x

    And now I can join the Linux box to domain with this command:
    $ sudo net ads join -U administrator

    I guess maybe I can try to login the Linux box with my domain account.
    But I am not sure what the login name would be. Should I use this as login name?

    I did a quick try with it but failed with error " access denied", so it must be something as.

    Any suggestion?
    Many thanks
    LVL 3

    Accepted Solution

    to list all of the users that winbind can see use the command "wbinfo -u" and to list the groups use "wbinfo -g", my systems only require me to log in using my username but I have sometimes during testing needed to use DOMAIN\username to get it to go.
    LVL 1

    Author Comment

    This one worked for me:

    It's all good now. Thank you very much for your help.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
    This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now