Solved

How to join Linux Min 14 into AD Domain

Posted on 2013-01-25
31
1,438 Views
Last Modified: 2013-01-30
Hello,

I would like to know how to join a Linux Mint 14 into a Windows Server 2k8 AD Domain.

I have added the respective DC into the /etc/resolv.conf file.

Thanks for your help,
0
Comment
Question by:namerg
  • 16
  • 15
31 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 38819399
Have not used mint, so do not have concrete examples.  You could approach it from configuring windows 2008 as LDAPS system while your mint is defined as a client.
This will be using the ldapclient method.

Another if available is to use the samba with windbind if avilable.

/etc/nsswitch.conf is where you would define the passwd: shadow to reference ldap or winbind.  Another option is to add unix tools to windows 2008 and have it server as a NIS master to your system.
0
 

Author Comment

by:namerg
ID: 38819494
Hmm, mint has the a kernel as Ubuntu.

What is LDAPS ?

What is the common way or normal way to have linux client joined into AD ?
Thanks.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38819732
Samba with winbind.
Windows 2008 has some additional security that attained hinders such integration.

Ldaps is secure ldap encrypted connection unlike plain ldap.
0
 

Author Comment

by:namerg
ID: 38819825
Ok, Thanks.
So how do i configure Samba with winbind ?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38819890
I do not have mint to test with.  Since you indicate it is a Ubuntu/Debian based:
https://help.ubuntu.com/10.04/serverguide/samba-ad-integration.html
0
 

Author Comment

by:namerg
ID: 38829850
I switched to Centos, new Ubuntu versions not user friendly.

I am using Centos 6.4
I am getting this error while doing kinit admin@EXAMPLE.COM
kinit: Clock skew too great while getting initial credentials

I did  set up ntp, but might be wrong... do not know..

Thanks,
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38829942
You need to use the system-config-authentication after you create a computer account on the AD for this system
You then need to make sure the smb.conf krb5.conf are properly setup
You would then run the net join ads on the centos box.

http://www.uncompiled.com/using-winbind-in-centos-6-for-active-director
0
 

Author Comment

by:namerg
ID: 38832340
Arnold, it looks like the computer is part of the domain, i did ran commands like getent passwd and getent group and I was able to get the list of the AD users and groups.

But, through the CentOS login, how do i log in using a windows AD account ?

Thanks for your help,
0
 
LVL 76

Expert Comment

by:arnold
ID: 38833270
wbinfo -u
wbinfo -g

it depends on your smb.conf setting.  Did you add oddjob into the /etc/pam.d/system-auth /etc/pam.d/system-auth-ac?  This deals with whether the home directory will be auto created on the first successful login.  Does your smb.conf include the ID map or did you add the UNIX tools to the AD such that the UID/GID and home dir can be configured within the AD schema for the user account?
make sure you have /home/domain /home/domain.local which is where domain user accounts will be created. to login as a domain user, you would use domain\username.

/etc/samba/smb.conf deals with the login process.
0
 

Author Comment

by:namerg
ID: 38833330
:( Don't get anything  :(
#system-auth
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel
session     required      pam_unix.so

Open in new window

#system-auth-ac
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel
session     required      pam_unix.so

Open in new window

#smb.conf
[global]
#--authconfig--start-line--

# Generated by authconfig on 2013/01/29 10:15:20
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = COMPANY
password server = companydc02.company.local
realm = COMPANY.LOCAL
security = ads
idmap uid = 10000-500000
idmap gid = 10000-500000
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false

log file = /var/log/samba/log.%m
max log size = 50
netbios name = ROSEROGLNX
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
#============================ Share Definitions ==============================

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        valid users = %D+%S

Open in new window

I do have /home/COMPANY
No, I did not add unix tools in AD.
ID Map ? Through all the sites I have researched did not read anything related to ID Map.
Thanks for your help.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38833539
In your setup the login separator is +
Domain+username

Within system-auth you need to add the oddjob entry that deals with auto creating the user home dir if missing upon initial login.

Ref http://www.linuxmail.info/active-directory-integration-samba-centos-5/ for oddjob reference in system-auth.
0
 

Author Comment

by:namerg
ID: 38833638
Arnold,
I did add the ofddjob line into the system-auth file

I do see the linux machine in AD, i did remove the computer account and executed the following command but I get the following error and computer is added into the AD domain.

[root@roseroglnx ~]# net ads join -U admin
Enter admin's password:
Using short domain name -- COMPANY
Joined 'ROSEROGLNX' to realm 'company.local'
[2013/01/29 17:46:27.655991,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password ROSEROGLNX$@COMPANY.LOCAL failed: Client not found in Kerberos database

And in the login window, i typed company\test and the respective password and says authentication failure.

But through the cmd line via wbinfo -a  test%"password" it authenticates fine.

Thanks for your help,
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38833646
Your separator is a plus sign (+)
You should try domain+username for username rather than the \ I used in an earlier comment.
0
 

Author Comment

by:namerg
ID: 38833661
In the log.wb-COMPANY log file I get the following messages:
[2013/01/29 18:09:16.130702,  1] winbindd/winbindd_ads.c:126(ads_cached_connection)
  ads_connect for domain COMPANY failed: Operations error
0
 
LVL 76

Expert Comment

by:arnold
ID: 38833675
Look at /var/log/audit/audit.log as well as /var/log/messages to make sure it isn't Selinux that is blocking the access.
At the top of smb.conf there are references to Selinux.
What status of wbinfo -u and -g show?
0
 

Author Comment

by:namerg
ID: 38833694
On the audit.log I see the following:

type=USER_LOGIN msg=audit(1359511300.808:44): user pid=2658 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t
:s0-s0:c0.c1023 msg='acct=company\test exe="/usr/libexec/gdm-session-worker" hostname=? addr=? terminal=/dev/tty7 res=failed'

Here is the thing, if i log in as root and execute wbinfo -u and -g dont get anything but after i restart smb, winbind and oddjobd services then I see list of users and groups via wbinfo -u and -g

Thanks for your help,
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38833750
Try using company+test and see what error if any you get in /var/log/secure as well as others referenced.
0
 

Author Comment

by:namerg
ID: 38833763
Instead of company\test ?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38833775
Yes.  Look at line 15 of your post of the smb.conf for winbind separator.
0
 

Author Comment

by:namerg
ID: 38833784
Ohh ok. I am in MST.  Lets continue tomorrow. Thanks for your help.
0
 

Author Comment

by:namerg
ID: 38835565
Arnold, PERFECT
I was able to log in as company+test
But,
1. How do i allow to use '\' instead of '+' ?
2. The test home folder was not created inside /home/COMPANY, it got created under /home/test
3.When I go to Network / Windows Network I get an error "Unable to mount location, Failed to retrieve share list from server.

Thanks for your help,
0
 
LVL 76

Expert Comment

by:arnold
ID: 38835728
Your smb.conf directs the creation of home dir as /home/%U
Line 16 of smb.conf above.


Note first that \ has a special meaning within unix/Linux which is it is treated as an escape ...


Line 15 of your post needs to be changed to use the \ as a separator.  Note that company\user might have the \u treated as a special single character versus as a set of two characters.
0
 

Author Comment

by:namerg
ID: 38835751
Ok, understood about the '\'

So, on line 16 what do i need to do...? I am sorry I am not a Linux savvy.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 38835807
Line 16 replace /home/%U with /home/company/%U
%U is the username.
You would need to restart the smb service
service smb restart
0
 

Author Comment

by:namerg
ID: 38835893
Got it. Perfect.
I could not use the \, i have to use the +

Do you have any other way to prove if the lnx machine is logged into the AD domain and I am authenticating with a Windows AD account ?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 38835906
You can look at the /var/log/secure /var/log/messages
If an account, username is not in /etc/passwd or in AD (when integrated) access will not be granted.

Not sure what you are asking about specifically.
0
 

Author Comment

by:namerg
ID: 38835924
Yes, you are right.

The purpose of this project is that I have to raise the Domain Functionality of my AD domain.
So, the fact I integrated a Linux machine into the Windows AD, it uses Kerberos authentication, correct ?
If so, it is a good way to test the Linux authentication once the Windows AD Functionality has been raised.

Do my statements make some sense ?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38836644
The AD functionality will have no issues as it deals with increasing options for Windows based system/data/schema
What are you raising the functional from and to? from win2k8 mixed i.e. you have win2k3 and win2k8 and you are raising it to win2k8 native?
0
 

Author Comment

by:namerg
ID: 38836923
Right now we are on Domain Functional Level: Windows Server 2003 and Forest Functional Level Windows Server 2003 and we have Windows Server 2008 R2 Standards as Domain Controllers.

And, the goal is to upgrade to 2008 Forrest Functional Level

The thing is we have some cisco equipment that their users to manage that equipment are authenticated against AD via Kerberos using  TACACS.net sofware.

I just want to feel confident nothing is going to break.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38837732
It depends on whether you might consider switching you cisco equipment to use radius that might simplify future transition given radius is a separate standard and will be served up using NPS. There are many examples that cisco has to interface using radius.
I do not believe changing functional level will interfere with your current access to the AD.
0
 

Author Comment

by:namerg
ID: 38837795
I guess I am set thanks for all your help.
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now