Problem of integrating windows AD with Samba of Ubuntu
I was trying to integrate windows Acitive Directory with Ubuntu 7.10 and I have followed this article:
http://www.ubuntugeek.com/how-to-integrate-windows-active-directory-and-samba-in-ubuntu.html#comment-152005
I did everything it suggested and restarted the Ubuntu by the end, and then I was stuck.
I got the message below and just couldn't login to Ubuntu again.
---------------------
kinit: name_to_dex_t(/dev/disk/by
kinit: trying to resume from /dev/disk/by-uuid/2c13fe59
kinit: No resume image, doing normal boot...
Ubuntu 7.10 svubuntu tty1
---------------------
When I try to log in it just pauses like I have type in the wrong password and the says "Login incorrect" and then goes back to Login prompt. I have tried "root" account and normal user account, none of them working.
I can still log in to the Ubuntu recovery mode with root account.
Any help would be much appreciated.
http://www.ubuntugeek.com/how-to-integrate-windows-active-directory-and-samba-in-ubuntu.html#comment-152005
I did everything it suggested and restarted the Ubuntu by the end, and then I was stuck.
I got the message below and just couldn't login to Ubuntu again.
---------------------
kinit: name_to_dex_t(/dev/disk/by
kinit: trying to resume from /dev/disk/by-uuid/2c13fe59
kinit: No resume image, doing normal boot...
Ubuntu 7.10 svubuntu tty1
---------------------
When I try to log in it just pauses like I have type in the wrong password and the says "Login incorrect" and then goes back to Login prompt. I have tried "root" account and normal user account, none of them working.
I can still log in to the Ubuntu recovery mode with root account.
Any help would be much appreciated.
ASKER
Thanks.
Now I got error below:
e2fsck: bad magic number in super-block while trying to open /dev/sda5
the superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesyste (and not swap or ufs or something else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsck -b 8193 <device>
Any idea?
Now I got error below:
e2fsck: bad magic number in super-block while trying to open /dev/sda5
the superblock could not be read or does not describe a correct ext2 filesystem. If the device is valid and it really contains an ext2 filesyste (and not swap or ufs or something else), then the superblock is corrupt, and you might try running e2fsck with an alternate superblock: e2fsck -b 8193 <device>
Any idea?
ASKER
I have to reinstall the Linux server and re-configure LDAP on it.
just use the fsck utility for the file system that you're using. fsck.ext3 will work for ext3 and reiserfsck will do for a reiser file system.
How come you need LDAP? You can connect a Linux box to an AD domain without installing an LDAP client.
ASKER
Hi Coanda,
If you have a better way that can make me login to the Linux box with my windows domain account, that would be great.
That was what I have tried to do by following the article I posted.
Thanks.
If you have a better way that can make me login to the Linux box with my windows domain account, that would be great.
That was what I have tried to do by following the article I posted.
Thanks.
I'll try to do a brief description of what I do to connect Linux machines to my AD, obviously for the documents listed below make sure to replace ds1 with your AD server and domain.local with the domain that you're using. Also, the case is important throughout what is described below.
First make sure that your /etc/hosts file contains an entry for your domain controller (I've used ds1 as a name in the steps below)
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install samba samba-common smbfs
$ sudo vim /etc/samba/smb.conf
## /etc/samba/smb.conf:
------ start copy here ---------
[global]
workgroup = DOMAIN
password server = ds1.domain.local
realm = DOMAIN.LOCAL
security = ADS
netbios name = srv
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
# winbind section
idmap backend = rid:DOMAIN=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
allow trusted domains = no
winbind refresh tickets = yes
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
guest account = nobody
map to guest = bad user
# set the loglevel
log level = 3
create mask = 774
directory mask = 775
locking = yes
# added this section so that I can share out the cdrom
usershare owner only = false
------- end copy here --------
$ sudo apt-get install libpam-krb5 krb5-clients krb5-user libkrb5-dev
!!!Important, make sure that the system time of the server being connected matches that of the domain controller.
$ sudo vim /etc/krb5.conf
## /etc/krb5.conf:
------- start copy here --------
[libdefaults]
default_realm = DOMAIN.LOCAL
clockskew = 300
[realms]
DOMAIN.LOCAL = {
kdc = ds1.domain.local
default_domain = domain.local
admin_server = ds1.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
}
------- end copy here --------
## /etc/nsswitch.conf
------- start copy here --------
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
------- end copy here --------
Contents of the various pam.d files:
$ sudo vim /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so
$ sudo vim /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
$ sudo vim /etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
$ sudo vim /etc/pam.d/common-session
session required pam_unix.so
$ sudo vim /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session
Now start the services and connect to the domain
$ sudo /etc/init.d/samba stop
$ sudo /etc/init.d/winbind stop
$ sudo kinit administrator@DOMAIN.LOCAL
$ sudo net ads join -U administrator
$ sudo /etc/init.d/samba start
$ sudo /etc/init.d/winbind start
This usually works for me but sometimes there is some additional tooling around depending on the distribution.
First make sure that your /etc/hosts file contains an entry for your domain controller (I've used ds1 as a name in the steps below)
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install samba samba-common smbfs
$ sudo vim /etc/samba/smb.conf
## /etc/samba/smb.conf:
------ start copy here ---------
[global]
workgroup = DOMAIN
password server = ds1.domain.local
realm = DOMAIN.LOCAL
security = ADS
netbios name = srv
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
# winbind section
idmap backend = rid:DOMAIN=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
allow trusted domains = no
winbind refresh tickets = yes
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
guest account = nobody
map to guest = bad user
# set the loglevel
log level = 3
create mask = 774
directory mask = 775
locking = yes
# added this section so that I can share out the cdrom
usershare owner only = false
------- end copy here --------
$ sudo apt-get install libpam-krb5 krb5-clients krb5-user libkrb5-dev
!!!Important, make sure that the system time of the server being connected matches that of the domain controller.
$ sudo vim /etc/krb5.conf
## /etc/krb5.conf:
------- start copy here --------
[libdefaults]
default_realm = DOMAIN.LOCAL
clockskew = 300
[realms]
DOMAIN.LOCAL = {
kdc = ds1.domain.local
default_domain = domain.local
admin_server = ds1.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
}
------- end copy here --------
## /etc/nsswitch.conf
------- start copy here --------
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
------- end copy here --------
Contents of the various pam.d files:
$ sudo vim /etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so
$ sudo vim /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
$ sudo vim /etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
$ sudo vim /etc/pam.d/common-session
session required pam_unix.so
$ sudo vim /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session
Now start the services and connect to the domain
$ sudo /etc/init.d/samba stop
$ sudo /etc/init.d/winbind stop
$ sudo kinit administrator@DOMAIN.LOCAL
$ sudo net ads join -U administrator
$ sudo /etc/init.d/samba start
$ sudo /etc/init.d/winbind start
This usually works for me but sometimes there is some additional tooling around depending on the distribution.
ASKER
Thanks Coanda.
I have followed your instruction to configure all the related files.
And I can run this command with no error:
$ sudo kinit administrator@DOMAIN.LOCAL
I have also ran klist command to make sure I am getting the Kerberos ticket, and it looked good.
But this command failed:
$ sudo net ads join -U administrator
I got error below:
Host is not configured as a member server
Invalid configuration. Exiting.
Failed to join domain: Invalid domain role
I remembered that I went this far last time and got the same error when tried to join the Linux box to domain.
I have followed your instruction to configure all the related files.
And I can run this command with no error:
$ sudo kinit administrator@DOMAIN.LOCAL
I have also ran klist command to make sure I am getting the Kerberos ticket, and it looked good.
But this command failed:
$ sudo net ads join -U administrator
I got error below:
Host is not configured as a member server
Invalid configuration. Exiting.
Failed to join domain: Invalid domain role
I remembered that I went this far last time and got the same error when tried to join the Linux box to domain.
ASKER
I added following lines to the smb.conf file:
local master = no
domain master = no
preferred master = no
wins server = x.x.x.x
And now I can join the Linux box to domain with this command:
$ sudo net ads join -U administrator
I guess maybe I can try to login the Linux box with my domain account.
But I am not sure what the login name would be. Should I use this as login name?
Username@domain.local
I did a quick try with it but failed with error " access denied", so it must be something as.
Any suggestion?
Many thanks
local master = no
domain master = no
preferred master = no
wins server = x.x.x.x
And now I can join the Linux box to domain with this command:
$ sudo net ads join -U administrator
I guess maybe I can try to login the Linux box with my domain account.
But I am not sure what the login name would be. Should I use this as login name?
Username@domain.local
I did a quick try with it but failed with error " access denied", so it must be something as.
Any suggestion?
Many thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes!
This one worked for me:
DOMAIN\username
It's all good now. Thank you very much for your help.
This one worked for me:
DOMAIN\username
It's all good now. Thank you very much for your help.
$ init 1
$ e2fsck -fp /dev/sda5
The -f will force a full check and -p is the option for auto-repair.