Linux Fedora7 Samba Joining ADS on Windows Server 2003

Hi all,

I have installed Linux Fedora7 that it's basically the same as Red Hat Linux v5.

Issue:

I need to Join the Fedora 7 to ADS I followed different instructions guide line during the past weeks, I even ask help here in Expert Exchange and that question was closed but the problem never realy solved

I can join successufully no errors at all when I do the wbinfo  from the root account -t or -u or -g I can see al users account from AD all groups and RPC calls succesed with the -t switch. The wbinfo command is also succesful from normal local Linux account.

Here the fun:

I cannot logon at all with any of the Domain accounts no matter if is Domain Admin account or normal user account.

The computer account is also succesfully created on the DC and the Host A records is created on the DNS server.

When I join with  # net ads join -U violanted (password is prompted)
The result  is:
Joined account fedora7 in Real technopc.eu
I can even leave the Domain without any errors:

[root@fedora7 ~]# net ads leave -U violanted
violanted's password:
Deleted account for 'FEDORA7' in realm 'TECHNOPC.EU'
[root@fedora7 ~]#
Than the account will disappers how it should from the DC

So...no errors configuration seem to be absolutely OK from any side why I cannot login using the the domain accounts once joined ADS?

The most accured guide line that I followed and that gave me the best result can be found at the following link:

http://www.interopsystems.com/LearningCenter/Using_Samba_and_Kerberos.htm

I can also see the account on the login mask from the GUI into the phisiacal Fedora server but the issue is the same cannot login with the domain users accounts.

Who will solve this issue with some help will get the 500 points immediately no delay

Thanks
daveviolanteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel OrozcoSolution ArchitectCommented:
Hi

Can you post here your smb.conf ?

Remember some tips:
- stop selinux
- your security has to be ADS
- increase the log level to 6 and check the error messages to locate the root cause.

Just follow this excellent link:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Samba/Q_23372014.html

If you do not want to dig into that question here is how your global section must look like:

[global]
        workgroup = DOMAIN
        password server = pdc.domain.local
        realm = DOMAIN.LOCAL
        security = ADS
        #winbind section
        idmap backend = rid:DOMAIN=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        allow trusted domains = no
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind offline logon = false
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        guest account = nobody
        map to guest = bad user
0
daveviolanteAuthor Commented:

I will try tomorrow
I will send the smb.conf
0
daveviolanteAuthor Commented:
I adopted the exact configuration mentioned from you but unfortunately result has not changed.

I can join the Domain Successfully and I can test users:
[root@fedora7 samba]# net ads join -U violanted
violanted's password:
Using short domain name -- TECHNOPC
Joined 'FEDORA7' to realm 'TECHNOPC.EU'
[root@fedora7 samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@fedora7 samba]# wbinfo -u
guest
violanted
krbtgt
support_388945a0
simonev
antonior
agnesm
nadirm
valentinav
edc72976-d2cf-4e8c-9
iusr_dc-02
iwam_dc-02
bkup-alert
andreac
rdhl
iusr_dc-01
iwam_dc-01
ipmonitor
aspnet
san
ugov
iusr_dc-03
iwam_dc-03
[root@fedora7 samba]#

I try to access the from command line or from physical Fedora Server I get:
login as: agnesm
agnesm@82.169.132.216's password:
Access denied
agnesm@82.169.132.216's password

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/07/14 10:57:18
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   Here the smb.cong

Pam has been also configured I added a line for the home directory


        workgroup = TECHNOPC
        password server = dc-02.TECHNOPC.EU
        realm = TECHNOPC.EU
        security = ADS
        #winbind section
        idmap backend = rid:DOMAIN=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        allow trusted domains = no
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind offline logon = false
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        guest account = nobody
        map to guest = bad user

What's wrong?


0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Gabriel OrozcoSolution ArchitectCommented:
I believe you will not be able to log on to the Linux box with the AD accounts.

Have you tried to access from a windows workstation to a share, say the home directory of the user?

It looks to me you want to use AD to authenticate against Linux to ssh inside, but the configuration stated here is for samba only.
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
If the desire is to be able to log into the Linux System with the AD account, they you're going to have to modify PAM -- by default, all of the AD setup HOWTOs are designed to allow AD access via SAMBA, so the Samba winbind utility is what checks the AD authentication.

But the standard login (and xlogin) programs do not know how to use winbind to authenticate...

I don't have time to do the research, but I have to think that there are PAM modules out there that can do this!

Good Luck!

Dan
IT4SOHO
0
Gabriel OrozcoSolution ArchitectCommented:
Oh it is perfectly possible to log on to linux using LDAP, and thus also Active Directory

But the question is: it is what you want? is it Samba or is it Login authentication.
0
daveviolanteAuthor Commented:


Login authentication from ssh and also from linux it self this is what I need to do.
0
Gabriel OrozcoSolution ArchitectCommented:
Very well then.

You may then want to follow this for centos:
http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2

0
daveviolanteAuthor Commented:

Hi,

I followed that link and I followed step by step all the instructions.

I am not sure about the ldap.conf file I made the changes but not sure if they are fully correct.

In any case using the AD account I am still not able to login from ssh or from the linux it self.

I have some users that needs to work on fedore only fromm ssh so my scope is to let them logon using the AD account.

So far this it has been a mission impossible.
I am not able to find on the internet the proper info and correct steps on how to accomplish this.
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I have found an article you might find will help you at
  http://www.occam.com/tools/ad_auth.html

You can find more by simply googleing for "PAM Active Directory login"

NOTE: The article noted above has 3 parts:
 1) linking AD into Samba (and running winbindd) -- which it appears you already have done
 2) linking AD into PAM (for login and ssh) -- be careful not to redo the parts you've already done (like krb5.conf)
 3) mapping AD users & groups to EXISTING *nix users & groups -- which you may or may not want

Good luck!

Dan
IT4SOHO
0
daveviolanteAuthor Commented:
I tried to follow up all suggestions provided but I can tell that in general there is not a proper internnet guide line that drives you towards the right configuration of AD Authentication in Linux and Samba Authentication. I can succesful join Samba to the Domain in Fedora 7 and can see all users if I run:
# wbinfo -u
# wibinfo -t
# wbinfo -g
but if I run:

[root@fedora7 ~]# wbinfo -a violanted%M@ndelbaum01
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user violanted%M@ndelbaum01 with plaintext password
challenge/response password authentication succeeded
So i am not sure what that means but I cannot logon to linux using an AD account, not matter if I try from putty ssh or from linux it self.

Any other idea?
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Let's see if I can make this more clear...

Samba is the ONLY part of your system that has "joined" the AD. Samba is the only part of your Linux system that knows (or cares to know) about Microsoft, and that is because Samba was specifically designed to do so.

The Linux login program knows no more about AD login names than it does e-mail addresses or websites that you are managing.... unless you somehow TELL it to query using some other authority -- and the WAY that you tell it to use some other mechanism is through PAM (Pluggable Authentication Modules).

The same thing goes for SSH. By default, SSH will only authenticate to "local" user accounts. To tell it to do otherwise is NOT a configuration change in SSH, but rather one in PAM.

If you look in the folder /etc/pam.d, you'll find files for virtually any program that might want to authenticate users on your Linux system. Exceptions would include programs that are specifically designed to have an independent user database -- like HTTP & MySQL. But login is there, as is sshd.

A sample entry for login might be:
auth       required     pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so

Among other things, this says that the ROOT user can only login on a secure TTY. Users can be validated by the system authentication (/etc/passwd), and many other options -- I'm not going to write a whole PAM tutorial here.

Now, the page I sent you to has instructions on how to move a library named pam_winbind.so.1. from the Samba build into the /usr/lib/security folder. The BEST news is that it is probably ALREADY in your libraries... somewhere! (Mine got loaded into /lib64/security, but that's because I'm on Fedora Core 5 x86_64).

So, what you'll want to do is to see if you already have that library lurking around somewhere... try:
  find / -name "pam_winbind.so*"

Again, in my case, it turns out to be /lib64/security/pam_winbind.so"

Now, there is ONE thing that is "off" in the instructions... namely, they are using PAM1.0 nomenclature, and if you're using a 2.6 kernel, you're much more likely to be using PAM2.0. (The difference is that PAM1.0 used one monolithic config file, and PAM2.0 uses individual files for each program that uses it.)

So, where the instructions say to make an entry like:
   other         account sufficient         pam_winbind.so

What you will want to do is to add the line below to both the login and sshd files in /etc/pam.d:
   account     sufficient      pam_winbind.so
ALSO, you'll want to add it at the beginning of the account "section" -- so if you were using MY login file from PAM above, it would look like:

auth       required     pam_securetty.so
auth       include      system-auth
account    sufficient    pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so

Now, once that is done (and I'm skipping the step where you check the AD join's validity -- you say that's already working), use the "id" command, like so:
  id violanted

If that returns the requested info, then logoff and try to login again.

One final note: an option in SSH is required to use some PAM features, so make sure that your /etc/ssh/sshd_config file includes the line that says:
UsePAM    yes

I hope this helps clear things up a bit... I've just tried these settings in a client environment, and was successful at getting SSH logins for AD users. (I don't typically let users login to my Linux systems because they're servers!)

Good Luck!

Dan
IT4SOHO
0
daveviolanteAuthor Commented:
Hi
I honestly tried the exact configuration proposed from you and we followed once again the guide previously sent we add the lines into pam to be able to login from ssh. We made sure that sshd was configured with UsePam yes but still doesn't work.

As I said I can joined the Domain I can see all Users Groups so Samba is definitely Joined to the Domain but once we try to login from putty ssh using a domain account we get access denied, same if we try from the GUI on the physical Fedora Server. Now to enable Authentication with AD we need to enable ldap?

I mean everythime I configure ldap as well than the system Fedora 7 hangs. I also notice that the GUI interface is gone and cannot login anymore from there as we get black window.

From the ssh when we enable ldap we can login only with the locall account or as root.

Here it's all strange I do not understand the logic behind.

I am more a windows guy but it's about two years I am using Linux and I can do quiet a lot's of things with linux but accomplish the current task seems to be mission impossible

0
daveviolanteAuthor Commented:
Hello,

We completely mess up all configurations regarding this AD Authenticaion in Fedora7 using ssh.
All I want is to have the users in AD to login into the Fedora box using they Domain account, and possibly when they login have an home directory created to the local server. That's all!

What's the mandatory configuration to make this happen?

I need full documentation if possible please I am still new in Linux but I need to do so and also I like to learn.

thanks
0
daveviolanteAuthor Commented:
We installed a fresh copy of Fedora 7

All I want is to have the users in AD to login into the Fedora box using they Domain account, and possibly when they login have an home directory created to the local server.

What's the mandatory configuration to make this happen?
I am confuse between ldap, pam, and winbind

Which one of those we need to configure?

All of them or.....

Thanks
0
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I have found an article you might find will help you at
  http://www.occam.com/tools/ad_auth.html

It takes you STEP BY STEP through configuring so your Linux can share files on the AD (you have to have samba to do ANYTHING with AD), and then how to let AD users login to Linux...

Dan
IT4SOHO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
daveviolanteAuthor Commented:
We finally made it I followed all your excellent links it has been hard for me as new Sys Admin in Unix but I learn a lot from you.

Also thanks to be patient and to keep helping me on get our issue solved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.