Solved

Linux Fedora7 Samba Joining ADS on Windows Server 2003

Posted on 2009-07-14
19
559 Views
Last Modified: 2013-12-06
Hi all,

I have installed Linux Fedora7 that it's basically the same as Red Hat Linux v5.

Issue:

I need to Join the Fedora 7 to ADS I followed different instructions guide line during the past weeks, I even ask help here in Expert Exchange and that question was closed but the problem never realy solved

I can join successufully no errors at all when I do the wbinfo  from the root account -t or -u or -g I can see al users account from AD all groups and RPC calls succesed with the -t switch. The wbinfo command is also succesful from normal local Linux account.

Here the fun:

I cannot logon at all with any of the Domain accounts no matter if is Domain Admin account or normal user account.

The computer account is also succesfully created on the DC and the Host A records is created on the DNS server.

When I join with  # net ads join -U violanted (password is prompted)
The result  is:
Joined account fedora7 in Real technopc.eu
I can even leave the Domain without any errors:

[root@fedora7 ~]# net ads leave -U violanted
violanted's password:
Deleted account for 'FEDORA7' in realm 'TECHNOPC.EU'
[root@fedora7 ~]#
Than the account will disappers how it should from the DC

So...no errors configuration seem to be absolutely OK from any side why I cannot login using the the domain accounts once joined ADS?

The most accured guide line that I followed and that gave me the best result can be found at the following link:

http://www.interopsystems.com/LearningCenter/Using_Samba_and_Kerberos.htm

I can also see the account on the login mask from the GUI into the phisiacal Fedora server but the issue is the same cannot login with the domain users accounts.

Who will solve this issue with some help will get the 500 points immediately no delay

Thanks
0
Comment
Question by:daveviolante
  • 9
  • 4
  • 4
19 Comments
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
Hi

Can you post here your smb.conf ?

Remember some tips:
- stop selinux
- your security has to be ADS
- increase the log level to 6 and check the error messages to locate the root cause.

Just follow this excellent link:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Samba/Q_23372014.html

If you do not want to dig into that question here is how your global section must look like:

[global]
        workgroup = DOMAIN
        password server = pdc.domain.local
        realm = DOMAIN.LOCAL
        security = ADS
        #winbind section
        idmap backend = rid:DOMAIN=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        allow trusted domains = no
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind offline logon = false
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        guest account = nobody
        map to guest = bad user
0
 

Author Comment

by:daveviolante
Comment Utility

I will try tomorrow
I will send the smb.conf
0
 

Author Comment

by:daveviolante
Comment Utility
I adopted the exact configuration mentioned from you but unfortunately result has not changed.

I can join the Domain Successfully and I can test users:
[root@fedora7 samba]# net ads join -U violanted
violanted's password:
Using short domain name -- TECHNOPC
Joined 'FEDORA7' to realm 'TECHNOPC.EU'
[root@fedora7 samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@fedora7 samba]# wbinfo -u
guest
violanted
krbtgt
support_388945a0
simonev
antonior
agnesm
nadirm
valentinav
edc72976-d2cf-4e8c-9
iusr_dc-02
iwam_dc-02
bkup-alert
andreac
rdhl
iusr_dc-01
iwam_dc-01
ipmonitor
aspnet
san
ugov
iusr_dc-03
iwam_dc-03
[root@fedora7 samba]#

I try to access the from command line or from physical Fedora Server I get:
login as: agnesm
agnesm@82.169.132.216's password:
Access denied
agnesm@82.169.132.216's password

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/07/14 10:57:18
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   Here the smb.cong

Pam has been also configured I added a line for the home directory


        workgroup = TECHNOPC
        password server = dc-02.TECHNOPC.EU
        realm = TECHNOPC.EU
        security = ADS
        #winbind section
        idmap backend = rid:DOMAIN=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        allow trusted domains = no
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind offline logon = false
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        guest account = nobody
        map to guest = bad user

What's wrong?


0
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
I believe you will not be able to log on to the Linux box with the AD accounts.

Have you tried to access from a windows workstation to a share, say the home directory of the user?

It looks to me you want to use AD to authenticate against Linux to ssh inside, but the configuration stated here is for samba only.
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
If the desire is to be able to log into the Linux System with the AD account, they you're going to have to modify PAM -- by default, all of the AD setup HOWTOs are designed to allow AD access via SAMBA, so the Samba winbind utility is what checks the AD authentication.

But the standard login (and xlogin) programs do not know how to use winbind to authenticate...

I don't have time to do the research, but I have to think that there are PAM modules out there that can do this!

Good Luck!

Dan
IT4SOHO
0
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
Oh it is perfectly possible to log on to linux using LDAP, and thus also Active Directory

But the question is: it is what you want? is it Samba or is it Login authentication.
0
 

Author Comment

by:daveviolante
Comment Utility


Login authentication from ssh and also from linux it self this is what I need to do.
0
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
Very well then.

You may then want to follow this for centos:
http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:daveviolante
Comment Utility

Hi,

I followed that link and I followed step by step all the instructions.

I am not sure about the ldap.conf file I made the changes but not sure if they are fully correct.

In any case using the AD account I am still not able to login from ssh or from the linux it self.

I have some users that needs to work on fedore only fromm ssh so my scope is to let them logon using the AD account.

So far this it has been a mission impossible.
I am not able to find on the internet the proper info and correct steps on how to accomplish this.
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
I have found an article you might find will help you at
  http://www.occam.com/tools/ad_auth.html

You can find more by simply googleing for "PAM Active Directory login"

NOTE: The article noted above has 3 parts:
 1) linking AD into Samba (and running winbindd) -- which it appears you already have done
 2) linking AD into PAM (for login and ssh) -- be careful not to redo the parts you've already done (like krb5.conf)
 3) mapping AD users & groups to EXISTING *nix users & groups -- which you may or may not want

Good luck!

Dan
IT4SOHO
0
 

Author Comment

by:daveviolante
Comment Utility
I tried to follow up all suggestions provided but I can tell that in general there is not a proper internnet guide line that drives you towards the right configuration of AD Authentication in Linux and Samba Authentication. I can succesful join Samba to the Domain in Fedora 7 and can see all users if I run:
# wbinfo -u
# wibinfo -t
# wbinfo -g
but if I run:

[root@fedora7 ~]# wbinfo -a violanted%M@ndelbaum01
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user violanted%M@ndelbaum01 with plaintext password
challenge/response password authentication succeeded
So i am not sure what that means but I cannot logon to linux using an AD account, not matter if I try from putty ssh or from linux it self.

Any other idea?
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
Let's see if I can make this more clear...

Samba is the ONLY part of your system that has "joined" the AD. Samba is the only part of your Linux system that knows (or cares to know) about Microsoft, and that is because Samba was specifically designed to do so.

The Linux login program knows no more about AD login names than it does e-mail addresses or websites that you are managing.... unless you somehow TELL it to query using some other authority -- and the WAY that you tell it to use some other mechanism is through PAM (Pluggable Authentication Modules).

The same thing goes for SSH. By default, SSH will only authenticate to "local" user accounts. To tell it to do otherwise is NOT a configuration change in SSH, but rather one in PAM.

If you look in the folder /etc/pam.d, you'll find files for virtually any program that might want to authenticate users on your Linux system. Exceptions would include programs that are specifically designed to have an independent user database -- like HTTP & MySQL. But login is there, as is sshd.

A sample entry for login might be:
auth       required     pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so

Among other things, this says that the ROOT user can only login on a secure TTY. Users can be validated by the system authentication (/etc/passwd), and many other options -- I'm not going to write a whole PAM tutorial here.

Now, the page I sent you to has instructions on how to move a library named pam_winbind.so.1. from the Samba build into the /usr/lib/security folder. The BEST news is that it is probably ALREADY in your libraries... somewhere! (Mine got loaded into /lib64/security, but that's because I'm on Fedora Core 5 x86_64).

So, what you'll want to do is to see if you already have that library lurking around somewhere... try:
  find / -name "pam_winbind.so*"

Again, in my case, it turns out to be /lib64/security/pam_winbind.so"

Now, there is ONE thing that is "off" in the instructions... namely, they are using PAM1.0 nomenclature, and if you're using a 2.6 kernel, you're much more likely to be using PAM2.0. (The difference is that PAM1.0 used one monolithic config file, and PAM2.0 uses individual files for each program that uses it.)

So, where the instructions say to make an entry like:
   other         account sufficient         pam_winbind.so

What you will want to do is to add the line below to both the login and sshd files in /etc/pam.d:
   account     sufficient      pam_winbind.so
ALSO, you'll want to add it at the beginning of the account "section" -- so if you were using MY login file from PAM above, it would look like:

auth       required     pam_securetty.so
auth       include      system-auth
account    sufficient    pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so

Now, once that is done (and I'm skipping the step where you check the AD join's validity -- you say that's already working), use the "id" command, like so:
  id violanted

If that returns the requested info, then logoff and try to login again.

One final note: an option in SSH is required to use some PAM features, so make sure that your /etc/ssh/sshd_config file includes the line that says:
UsePAM    yes

I hope this helps clear things up a bit... I've just tried these settings in a client environment, and was successful at getting SSH logins for AD users. (I don't typically let users login to my Linux systems because they're servers!)

Good Luck!

Dan
IT4SOHO
0
 

Author Comment

by:daveviolante
Comment Utility
Hi
I honestly tried the exact configuration proposed from you and we followed once again the guide previously sent we add the lines into pam to be able to login from ssh. We made sure that sshd was configured with UsePam yes but still doesn't work.

As I said I can joined the Domain I can see all Users Groups so Samba is definitely Joined to the Domain but once we try to login from putty ssh using a domain account we get access denied, same if we try from the GUI on the physical Fedora Server. Now to enable Authentication with AD we need to enable ldap?

I mean everythime I configure ldap as well than the system Fedora 7 hangs. I also notice that the GUI interface is gone and cannot login anymore from there as we get black window.

From the ssh when we enable ldap we can login only with the locall account or as root.

Here it's all strange I do not understand the logic behind.

I am more a windows guy but it's about two years I am using Linux and I can do quiet a lot's of things with linux but accomplish the current task seems to be mission impossible

0
 

Author Comment

by:daveviolante
Comment Utility
Hello,

We completely mess up all configurations regarding this AD Authenticaion in Fedora7 using ssh.
All I want is to have the users in AD to login into the Fedora box using they Domain account, and possibly when they login have an home directory created to the local server. That's all!

What's the mandatory configuration to make this happen?

I need full documentation if possible please I am still new in Linux but I need to do so and also I like to learn.

thanks
0
 

Author Comment

by:daveviolante
Comment Utility
We installed a fresh copy of Fedora 7

All I want is to have the users in AD to login into the Fedora box using they Domain account, and possibly when they login have an home directory created to the local server.

What's the mandatory configuration to make this happen?
I am confuse between ldap, pam, and winbind

Which one of those we need to configure?

All of them or.....

Thanks
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
Comment Utility
I have found an article you might find will help you at
  http://www.occam.com/tools/ad_auth.html

It takes you STEP BY STEP through configuring so your Linux can share files on the AD (you have to have samba to do ANYTHING with AD), and then how to let AD users login to Linux...

Dan
IT4SOHO
0
 

Author Closing Comment

by:daveviolante
Comment Utility
We finally made it I followed all your excellent links it has been hard for me as new Sys Admin in Unix but I learn a lot from you.

Also thanks to be patient and to keep helping me on get our issue solved
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now