Index: Makefile
===================================================================
--- Makefile (revision 470059)
+++ Makefile (working copy)
@@ -84,7 +84,7 @@
OPTIONS_SUB= yes
OPTIONS_DEFINE= AD_DC ADS DEBUG DOCS FAM LDAP
- QUOTAS SYSLOG UTMP PROFILE
+ QUOTAS SYSLOG UTMP PROFILE GSSAPI_MIT
# Make those default options
OPTIONS_DEFAULT:= ${OPTIONS_DEFINE}
# This shouldn't be default in the release
@@ -334,6 +334,11 @@
MANDOC_BUILD_DEPENDS= ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:textproc/docbook-xsl
xsltproc:textproc/libxslt
MANDOC_CONFIGURE_ENV_OFF= XSLTPROC="true"
+
+GSSAPI_MIT_CONFIGURE_ON= --with-system-mitkrb5
+ --with-system-mitkdc=/usr/local/sbin/krb5kdc
+GSSAPI_MIT_USES= gssapi:mit
+
# !SAMBA4_SUBPORT
.endif
@@ -578,6 +583,10 @@
${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR}
.endfor
+post-install-GSSAPI_MIT-on:
+ ${INSTALL} -d -m 0755 "${STAGEDIR}${SAMBA4_MODULEDIR}/krb5/plugins/kdb"
+ ${MV} "${STAGEDIR}${SAMBA4_LIBDIR}/krb5/plugins/kdb/samba.so" "${STAGEDIR}${SAMBA4_MODULEDIR}/krb5/plugins/kdb/"
+
# !SAMBA4_SUBPORT
.endif
Index: pkg-plist
===================================================================
--- pkg-plist (revision 470059)
+++ pkg-plist (working copy)
@@ -187,13 +187,13 @@
%%AD_DC%%lib/samba4/private/libprocess-model-samba4.so
%%AD_DC%%lib/samba4/private/libservice-samba4.so
lib/samba4/private/libCHARSET3-samba4.so
-%%AD_DC%%lib/samba4/private/libHDB-SAMBA4-samba4.so
+%%NO_GSSAPI_MIT%%%%AD_DC%%lib/samba4/private/libHDB-SAMBA4-samba4.so
lib/samba4/private/libLIBWBCLIENT-OLD-samba4.so
lib/samba4/private/libMESSAGING-samba4.so
lib/samba4/private/libMESSAGING-SEND-samba4.so
lib/samba4/private/libaddns-samba4.so
lib/samba4/private/libads-samba4.so
-lib/samba4/private/libasn1-samba4.so.8
+%%NO_GSSAPI_MIT%%lib/samba4/private/libasn1-samba4.so.8
lib/samba4/private/libasn1util-samba4.so
lib/samba4/private/libauth-samba4.so
lib/samba4/private/libauth-unix-token-samba4.so
@@ -208,7 +208,7 @@
lib/samba4/private/libcliauth-samba4.so
lib/samba4/private/libcluster-samba4.so
lib/samba4/private/libcmdline-credentials-samba4.so
-lib/samba4/private/libcom_err-samba4.so.0
+%%NO_GSSAPI_MIT%%lib/samba4/private/libcom_err-samba4.so.0
lib/samba4/private/libcommon-auth-samba4.so
%%AD_DC%%lib/samba4/private/libdb-glue-samba4.so
lib/samba4/private/libdbwrap-samba4.so
@@ -224,18 +224,18 @@
lib/samba4/private/libgensec-samba4.so
lib/samba4/private/libgpext-samba4.so
lib/samba4/private/libgse-samba4.so
-lib/samba4/private/libgssapi-samba4.so.2
-lib/samba4/private/libhcrypto-samba4.so.5
-lib/samba4/private/libhdb-samba4.so.11
-lib/samba4/private/libheimbase-samba4.so.1
-lib/samba4/private/libheimntlm-samba4.so.1
+%%NO_GSSAPI_MIT%%lib/samba4/private/libgssapi-samba4.so.2
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhcrypto-samba4.so.5
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhdb-samba4.so.11
+%%NO_GSSAPI_MIT%%lib/samba4/private/libheimbase-samba4.so.1
+%%NO_GSSAPI_MIT%%lib/samba4/private/libheimntlm-samba4.so.1
lib/samba4/private/libhttp-samba4.so
-lib/samba4/private/libhx509-samba4.so.5
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhx509-samba4.so.5
lib/samba4/private/libidmap-samba4.so
lib/samba4/private/libinterfaces-samba4.so
lib/samba4/private/libiov-buf-samba4.so
-lib/samba4/private/libkdc-samba4.so.2
-lib/samba4/private/libkrb5-samba4.so.26
+%%NO_GSSAPI_MIT%%lib/samba4/private/libkdc-samba4.so.2
+%%NO_GSSAPI_MIT%%lib/samba4/private/libkrb5-samba4.so.26
lib/samba4/private/libkrb5samba-samba4.so
lib/samba4/private/libldbsamba-samba4.so
lib/samba4/private/liblibcli-lsa3-samba4.so
@@ -257,7 +257,7 @@
lib/samba4/private/libprinting-migrate-samba4.so
lib/samba4/private/libregistry-samba4.so
lib/samba4/private/libreplace-samba4.so
-lib/samba4/private/libroken-samba4.so.19
+%%NO_GSSAPI_MIT%%lib/samba4/private/libroken-samba4.so.19
lib/samba4/private/libsamba-cluster-support-samba4.so
lib/samba4/private/libsamba-debug-samba4.so
lib/samba4/private/libsamba-modules-samba4.so
@@ -290,7 +290,7 @@
lib/samba4/private/libutil-setid-samba4.so
lib/samba4/private/libutil-tdb-samba4.so
lib/samba4/private/libwinbind-client-samba4.so
-lib/samba4/private/libwind-samba4.so.0
+%%NO_GSSAPI_MIT%%lib/samba4/private/libwind-samba4.so.0
lib/samba4/private/libxattr-tdb-samba4.so
%%AD_DC%%lib/shared-modules/bind9/dlz_bind9_10.so
%%AD_DC%%lib/shared-modules/bind9/dlz_bind9_11.so
@@ -297,6 +297,7 @@
%%AD_DC%%lib/shared-modules/bind9/dlz_bind9_9.so
%%AD_DC%%lib/shared-modules/bind9/dlz_bind9.so
%%AD_DC%%lib/shared-modules/gensec/krb5.so
+%%GSSAPI_MIT%%%%AD_DC%%lib/shared-modules/krb5/plugins/kdb/samba.so
%%AD_DC%%lib/shared-modules/ldb/acl.so
%%AD_DC%%lib/shared-modules/ldb/aclread.so
%%AD_DC%%lib/shared-modules/ldb/anr.soFile Server Problems
Even when setting up a file server, you’ll find pitfalls that keep a file server from starting, or at least providing its services. At this point, I’ll look at what can happen when setting up a file server. I will not go into the installation of the packages; this explanation is only about the service configuration. The distribution you are using to set up the file server does not matter.
To begin, you should always complete the basic configuration of the file server; that is, you only configure the global area and execute a domain join. Once you have done this, only configure the shares. After you have prepared smb.conf, start the first attempt to integrate the server into the domain. You will see the message in Listing 5.
Listing 5
Join Error
root@fs-01:~# net ads join -U administrator
Enter administrator's password:
Failed to join domain: failed to lookup DC info for domain 'EXAMPLE' over rpc: {Operation Failed} The requested operation was unsuccessful.
Checking the Name Server
The error message in Listing 5 indicates that the DC could not be found. First, test whether you can resolve the DC name and whether you can ping the DC. In this case, the name cannot be resolved. A look at the /etc/resolv.conf file shows that no DC is registered as the name server. Make sure at least one DC is set up as the name server in the configuration.
It is better to enter two DCs as name servers; in this case, the second DC can take over the role of the name server if the first DC fails or has to be taken off the network for a short time. File servers in particular should always have at least two name servers configured, so they still work even if one name server fails.
If you already have entered the IP address of at least one DC as the name server but still receive the error message from Listing 6 on trying to join, you need to check the /etc/hosts file to see whether it contains the correct hostname with the correct IP address. The FQDN is correct if the command hostname -f returns the expected value. After modifying the entry in /etc/hosts, you can again try to join the file server to the domain. If you get the error message from Listing 7 now, the error is not caused by the file server; rather, the DNS server has problems with dynamic updates.
Listing 6
Wrong Hostname
root@fs-01:~# net ads join -U administrator root@fs-01:~# net ads join -U administrator Enter administrator's password: Using short domain name -- EXAMPLE Joined 'FS-01' to dns domain 'example.net' No DNS domain configured for fs-01. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETE
Listing 7
Problem on the DNS Server
root@fs-01:~# net ads join -U administrator Enter administrator's password: Using short domain name -- EXAMPLE Joined 'FS-01' to dns domain 'example.net DNS Update for fs-01.example.net failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
To see whether dynamic updates are working, test the DCs:
samba_dnsupdate --verbose --all-names
You will see output all entries on the DNS server. Listing 8 shows an excerpt from the output; the error message at the end is important. Here, the DNS entry update does not seem to work. To correct this error, proceed as described in Listing 9.
Listing 8
List of Name Servers
root@addc-01:~# samba_dnsupdate --verbose --all-names IPs: ['192.168.56.66'] force update: A addc-01.example.net 192.168.56.66 force update: NS example.net addc-01.example.net force update: NS _msdcs.example.net addc-01.example.net force update: A example.net 192.168.56.66 ... update failed: NOTAUTH Failed nsupdate: 2 Failed update of 29 entries
Listing 9
Fixing DNS Errors
root@addc-01:~# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/EXAMPLE.NET.zone DNS records will be automatically created DNS partitions already exist dns-addc-01 account already exists ... root@addc-01:~# systemctl restart bind9
The command
samba_dnsupdate --verbose --all-names
should now run without errors. Check the updating on all your DCs and fix the error on other DCs, if necessary. If the test command returns an update failed: NOT-AUTH
error, something is wrong with the authentication of BIND9 via Kerberos in the Active Directory. Check whether you have entered the following line correctly in the /etc/bind/named.conf.options file:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
If the entry exists, the BIND9 user might still not be able to read the keytab file. Checking the authorizations and setting the appropriate permissions should also fix the error.
Now you can start the join on the file server again, only, continue your tests once the output of the command looks like Listing 10.
Listing 10
Successful Join
root@fs-01:~# net ads join -U administrator Enter administrator's password: Using short domain name -- EXAMPLE Joined 'FS-01' to dns domain 'example.net' root@fs-01:~# net ads testjoin Join is OK
User Mapping Problems
After modifying the /etc/nsswitch.conf file to use winbind, you might notice that although the user is displayed with
wbinfo -i <AD-User>
the mapping to the unique identifier (UID) does not seem to work (Listing 11).
Listing 11
Wrong User Mapping
root@fs-01:~# wbinfo -n test-u1 S-1-5-21-831035265-3946242641-4171447920-1408 SID_USER (1) root@fs-01:~# wbinfo -i test-u1 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test-u1 root@fs-01:~# getent passwd test-u1 _
Unfortunately, this error message is absolutely misleading. The domain is there; you can prove this by listing the users with wbinfo -n test-u1; wbinfo -p is also successful. The Winbind service seems to be running, and the domain is reachable. The problem can thus only be the ID mapping settings in the smb.conf file. The settings for the ID mapping in the file are:
idmap config * : range = 10000 - 19999 idmap config EXAMPLE : backend = rid idmap config EXAMPLE : range = 1000 - 1999
You can see here that the range for the EXAMPLE domain is too small. The UID is calculated from the relative identifier (RID) of the user: In the case of the test-u1 user 1408
, adding the first value from the range (i.e., 1000
) results in a value of 2408
. This value is outside the range of 1999
.
Therefore, the user can no longer be mapped. If you specify the range, be sure to select a value that is large enough. Especially if you have migrated to Samba 3 with openLDAP, the RID can have a value greater than 100,000. After adjusting the range, stop the Winbind service, run the net cache flush command, and restart the service.
Another error that can occur when configuring ID mapping is that the second specified value is smaller than the first value. Then, the user may be displayed with:
wbinfo -i <AD-User>
However, the UID does not match the user’s RID. Therefore, always check whether the values of the UID for a user match the RID.
How to join RHEL 8 system to an Active Directory server using Samba Winbind. How to authenticate RHEL 8 server against to a Windows 2003 R2 / 2008 / 2008 R2 / 2012 AD domain. How to add CentOS 8 to Windows Domain Controller. Step by Step Guide to add CentOS 8 to Windows Domain Controller. Steps to join RHEL 8 to Active Directory. How to join CentOS 8 to Active Directory on Windows Server. Steps to join CentOS 8 to Windows Domain Controller running on WIndows Server 2012. Steps to join linux to windows active directory.
The winbind service is part of the Samba suite. It enables a Linux server to become a full member in Windows domains and to use Windows users and group accounts in Linux.
Some more articles on similar topic:
- How to join Linux client to Windows AD Domain using realmd with SSSD (CentOS/RHEL 7/8)
- How to join Linux client to Windows AD Domain using adcli with SSSD (CentOS/RHEL 7/8)
- How to join Linux client to Windows AD Domain using winbind (CentOS/RHEL 7/8)
ALSO READ: Linux disable IPv6 properly (with or without reboot)
1. An overview of the lab environment
For demonstrations of this article to add CentOS 8 to Windows Domain Controller (Active Directory), we will use virtual machines running in an Oracle VirtualBox installed on my Linux Server virtualization environment.
We have a Microsoft Server 2012R2 Active Directory Domain Controller with the IP address 192.168.0.107, CentOS 8 host with the IP address 192.168.0.117 and RHEL 8 with IP Address 192.168.0.106. In this article I will only cover the part to add CentOS 8 to Windows Domain Controller on the client side. So this article requires a pre-configured Windows Active Directory.
I have only used snippets from my CentOS 8 Server but I have verified the steps on both RHEL 8 and CentOS 8.
2. Preparing the Linux Client to join Windows Active Directory
To add CentOS 8 to Windows Domain Controller, we need to change the DNS settings so that the Active Directory domain DNS server is queried first:
[root@centos-8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search golinuxcloud.com
nameserver 192.168.0.107
Here 192.168.0.107 is the IP Address of my Windows Active Directory which is also configured as DNS Server.
ALSO READ: 6 commands to check and list active SSH connections in Linux
To make sure that our server can resolve hostname, either through queries to the DNS server or to the internal /etc/hosts file, we can use the getent command.
[root@centos-8 ~]# getent hosts golinuxcloud.com 192.168.0.107 golinuxcloud.com
3. Install WInbind Package(s)
To add CentOS 8 to Windows Domain Controller we will install the required samba packages on our client host
[root@centos-8 ~]# dnf install samba samba-client samba-winbind samba-winbind-clients oddjob oddjob-mkhomedir
4. Configure Winbind with smb.conf
Configure /etc/samba/smb.conf by replacing the existing content under [global] section with the following content to add Linux to windows active directory. Modify the realm and workgroup value as per your environment.
You can also use Red Hat’s AD Integration Helper to help generate optimal configuration values for connecting to your organizations Active Directory.
[global]
workgroup = GOLINUXCLOUD
realm = GOLINUXCLOUD.COM
security = ads
idmap config * : backend = autorid
idmap config * : range = 100000-19999999
idmap config * : rangesize = 1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = true
log file = /var/log/samba/log.%m
max log size = 50
log level = 0
security=ads describes the membership in an Active Directory domain.
ALSO READ: Integrate Samba with Active Directory (Linux & Windows)
The parameters idmap* and winbind enum* map Windows users and groups to Unix users and groups.
Usually system users and groups are assigned IDs in the range from 0 to 999, and local users and groups are assigned IDs starting from 1000. With this in mind, it seems pretty reasonable to start assigning IDs to domain users and groups starting from 1000000. We should also differentiate between the domain users and groups and the local built-in accounts existing on a member server, such as the local administrator, the local guest, and so on. These two groups must not overlap, so we assign the range 1000000 to 19999999 to domain built-in user and group accounts
Run the following command to verify that you can resolve the standard SRV records:
[root@centos8 ~]# host -t SRV _kerberos._udp.golinuxcloud.com. _kerberos._udp.golinuxcloud.com has SRV record 0 100 88 win-71humtros3m.golinuxcloud.com. [root@centos8 ~]# host -t SRV _ldap._tcp.golinuxcloud.com. _ldap._tcp.golinuxcloud.com has SRV record 0 100 389 win-71humtros3m.golinuxcloud.com.
Stop the winbind service if it is in running state:
[root@centos8 ~]# systemctl stop winbind
5. Join/Add CentOS 8 to Windows Domain Controller
We join the Linux client with Windows Active Directory by executing net ads join -U Administrator on the client host:
It is possible that you may get the following ERROR while joining Linux client to Windows AD using Samba Winbind.
Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM' DNS Update for centos-8.golinuxcloud.com failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
5.1 How to fix “DNS Update for DOMAIN failed. ERROR_DNS_UPDATE_FAILED”?
You can either choose to avoid doing any DNS updates while you add CentOS 8 to Windows Domain Controller by using
# net ads join -U Administrator --no-dns-updates golinuxcloud.com
Or to fix ERROR_DNS_UPDATE_FAILED error observed above, perform the following steps
ALSO READ: Install & Configure FreeIPA Server in RHEL/CentOS 8
Add following information to /etc/hosts.
# echo "127.0.0.1 `hostname` `hostname -a`" >> /etc/hosts
Make sure that the IP address of the DNS server is in /etc/resolv.conf. The IP address should be the DNS server you want to update the new DNS ‘A’ record.
# cat /etc/resolv.conf
search golinuxcloud.com
nameserver 192.168.0.107
On your Windows Domain Controller, select «DNS Manager» for your server. Select your server in the Forward Lookup Zone and right click to open Properties. Select the Dynamic updates to «Secure only» or «Nonsecure and secure» on the Windows DNS server.
Next restart the DNS service to activate the changes and re-try to add CentOS 8 to Windows Domain Controller
[root@centos-8 ~]# net ads join -U Administrator golinuxcloud.com
Enter Administrator's password:
Using short domain name -- GOLINUXCLOUD
Joined 'centos-8' to dns domain 'GOLINUXCLOUD.COM'
6. Verify connectivity between Linux client and Windows AD
We can easily check that the server is a member of the domain with the testparm command.
[root@centos-8 ~]# testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] log file = /var/log/samba/log.%m max log size = 50 realm = GOLINUXCLOUD.COM security = ADS template shell = /bin/bash winbind offline logon = Yes workgroup = GOLINUXCLOUD idmap config * : rangesize = 1000000 idmap config * : range = 100000-19999999 idmap config * : backend = autorid [homes] browseable = No comment = Home Directories inherit acls = Yes read only = No valid users = %S %D%w%S [printers] browseable = No comment = All Printers create mask = 0600 path = /var/tmp printable = Yes [print$] comment = Printer Drivers create mask = 0664 directory mask = 0775 force group = @printadmin path = /var/lib/samba/drivers write list = @printadmin root
After successfully joining Linux server to Windows Active Directory, it is essential that you restart Winbind and enable the service to auto start at boot:
[root@centos-8 ~]# systemctl enable winbind --now
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service.
Check the status of Winbind service
[root@centos-8 ~]# systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-10-18 14:48:25 IST; 20s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 1756 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 2 (limit: 11506)
Memory: 6.6M
CGroup: /system.slice/winbind.service
├─1756 /usr/sbin/winbindd --foreground --no-process-group
└─1758 /usr/sbin/winbindd --foreground --no-process-group
Oct 18 14:48:25 centos-8.golinuxcloud.com systemd[1]: Starting Samba Winbind Daemon...
ALSO READ: Configure postfix mail server and client with examples (CentOS/RHEL 7/8)
7. Client Validation
After you add CentOS 8 to Windows Domain Controller it is necessary that you run some checks on the client host i.e. CentOS 8 to make sure it is able to reach Active Directory properly.
You can test whether everything is working properly with wbinfo -t. The command runs an encrypted RPC call, which is only possible if the server really is a member in the domain:
[root@centos-8 ~]# wbinfo -t
checking the trust secret for domain GOLINUXCLOUD via RPC calls succeeded
List AD users.
[root@centos-8 ~]# wbinfo -u GOLINUXCLOUDadministrator GOLINUXCLOUDguest GOLINUXCLOUDkrbtgt
List AD groups.
[root@centos-8 ~]# wbinfo -g GOLINUXCLOUDwinrmremotewmiusers__ GOLINUXCLOUDdomain computers GOLINUXCLOUDdomain controllers GOLINUXCLOUDschema admins GOLINUXCLOUDenterprise admins GOLINUXCLOUDcert publishers GOLINUXCLOUDdomain admins GOLINUXCLOUDdomain users GOLINUXCLOUDdomain guests GOLINUXCLOUDgroup policy creator owners GOLINUXCLOUDras and ias servers GOLINUXCLOUDallowed rodc password replication group GOLINUXCLOUDdenied rodc password replication group GOLINUXCLOUDread-only domain controllers GOLINUXCLOUDenterprise read-only domain controllers GOLINUXCLOUDcloneable domain controllers GOLINUXCLOUDprotected users GOLINUXCLOUDdnsadmins GOLINUXCLOUDdnsupdateproxy
8. Configure the NSS and PAM stack for authentication
Execute the following command to configure NSS and PAM stack. We use with-mkhomedir to make sure the home directory for active directory users are automatically created when they login.
[root@centos8 ~]# authselect select winbind with-mkhomedir --force
Backup stored at /var/lib/authselect/backups/2021-03-03-19-16-20.jS4CgG
Profile "winbind" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
Make sure that winbind service is configured and enabled. See winbind documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled
- systemctl enable oddjobd.service
- systemctl start oddjobd.service
Ensure that /etc/nsswitch.conf has the following passwd and group entries. In this file, you have to tell Linux that it should use Winbind before trying to authenticate locally on Linux.
passwd: files winbind group: files winbind
Enable and start/restart oddjobd service:
[root@centos8 ~]# systemctl enable oddjobd --now
Test resolving AD users and groups and authentication of users.
[root@centos8 ~]# getent passwd GOLINUXCLOUD\administrator GOLINUXCLOUDadministrator:*:1100500:1100513::/home/GOLINUXCLOUD/administrator:/bin/bash [root@centos8 ~]# id GOLINUXCLOUD\administrator uid=1100500(GOLINUXCLOUDadministrator) gid=1100513(GOLINUXCLOUDdomain users) groups=1100513(GOLINUXCLOUDdomain users),1100500(GOLINUXCLOUDadministrator),1100572(GOLINUXCLOUDdenied rodc password replication group),1100518(GOLINUXCLOUDschema admins),1100519(GOLINUXCLOUDenterprise admins),1100520(GOLINUXCLOUDgroup policy creator owners),1100512(GOLINUXCLOUDdomain admins),100001(BUILTINusers),100000(BUILTINadministrators)
ALSO READ: Join Linux to Windows domain using adcli (RHEL/CentOS 7/8)
9. Login as Active Directory User on Linux Client
Now you can try to login as any of the Active Directory user on this CentOS 8 client. You don’t need to manually create home directory for the domain users as that would be handled by /usr/lib64/security/pam_oddjob_mkhomedir.so module provided by oddjob-mkhomedir rpm.
[root@centos8 ~]# su - GOLINUXCLOUD\Administrator Creating home directory for GOLINUXCLOUDadministrator. Last login: Thu Mar 4 00:46:12 IST 2021 on pts/0 [GOLINUXCLOUDadministrator@centos8 ~]$ pwd /home/GOLINUXCLOUD/administrator
As you see the the home directory for our Administrator user was automatically created at the first login.
In the next article I will share the steps to Integrate Samba Shares with Active Directory (Linux & Windows)
Summary
Winbind can be used with different idmap backends idmap_tdb, idmap_ldap, idmap_rid, idmap_sss and idmap_ad. These backends will help the Red Hat Enterprise Linux system figure out the SID to uid/gid mappings. If you are using winbind, you will need to choose most appropriate backend for your environment. i.e. If this is for a single system, where keeping the uid/gid info the same across multiple systems is not important. The default tdb backend may be appropriate. If you need uid/gid info to be consistent across many systems, one of the other backends will be more appropriate. i.e: autorid or rid.
Lastly I hope the steps from the article to join/add CentOS 8 to Windows Domain Controller on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
ALSO READ: How to add Windows Workstation to Samba AD DC (with screenshots)
Related Searches: join centos 8 to windows domain. rhel 8 active directory authentication. rhel 8 oddjob. centos 8 samba active directory. realm join. join centos to windows domain. how to join domain in redhat linux. centos 8 samba active directory. join centos 8 to windows domain
I have an issue when I try to join my domain.
I am able to create the kerberos ticket successfully.
root@debian:~# kinit Administrateur@ASP.DOMAIN
Password for Administrateur@ASP.DOMAIN:
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrateur@ASP.DOMAIN
Valid starting Expires Service principal
26/04/2016 18:20:18 27/04/2016 04:20:18 krbtgt/ASP.DOMAIN@ASP.DOMAIN
renew until 27/04/2016 18:20:11
and when I try to join the domain :
root@debian:~# net ads join -k
Failed to join domain: failed to lookup
DC info for domain 'ASP.DOMAIN' over rpc: {Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period expired.
my krb5.conf is:
[libdefaults]
default_realm = ASP.DOMAIN
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
ASP.DOMAIN = {
kdc = asp.domain
admin_server = server.domain
default_domain = DOMAIN
}
[domain_realm]
.asp.domain = ASP.DOMAIN
asp.domain = ASP.DOMAIN
My smb.conf :
[global]
security = ADS
realm = ASP.DOMAIN
password server = server.domain
workgroup = asp.domain
winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
winbind use default domain = yes
domain master = no
local master = no
preferred master = no
os level = 0
I have no idea: there is no drop on my firewall. The ticket is ok. I’ve tried with 3 Domain Controlers.
PS : Domain is a variable
EDIT : I’ve tried to do it with samba-tool too
root@debian:~# samba-tool domain join ASP.DOMAIN MEMBER -UAdministrateur --real=ASP.DOMAIN
ERROR(runtime): uncaught exception - Connection to SAMR pipe of PDC for ASP.DOMAIN failed: Connection to DC failed: NT_STATUS_IO_TIMEOUT
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 606, in run
machinepass=machinepass)
EDIT 2 : Join is ok ? But wbinfo -u is not ok
root@debian:~# net ads join -U Administrateur
Enter Administrateur's password:
Using short domain name -- DOMAIN
Joined 'ASP.DOMAIN' to dns domain 'asp.domain'
DNS Update for asp.kapia failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL
root@debian:~# net ads testjoin
Join is OK
root@debian:~# wbinfo -u
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users
EDIT 3 :
EDIT 4 :
root@debian:~# service winbind status
● winbind.service - LSB: start Winbind daemon
Loaded: loaded (/etc/init.d/winbind)
Active: active (exited) since mer. 2016-04-27 16:16:00 CEST; 55s ago
Process: 2222 ExecStart=/etc/init.d/winbind start (code=exited, status=0/SUCCESS)
avril 27 16:16:00 debian winbindd[2233]: #5 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7fbc2b11e1cd]
avril 27 16:16:00 debian winbindd[2233]: #6 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x91ca) [0x7fbc2b11f1ca]
avril 27 16:16:00 debian winbindd[2233]: #7 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x78e7) [0x7fbc2b11d8e7]
avril 27 16:16:00 debian winbindd[2233]: #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fbc2b11a12d]
avril 27 16:16:00 debian winbindd[2233]: #9 /usr/sbin/winbindd(main+0xb7c) [0x7fbc325cbc8c]
avril 27 16:16:00 debian winbindd[2233]: #10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fbc2a92db45]
avril 27 16:16:00 debian winbindd[2233]: #11 /usr/sbin/winbindd(+0x25318) [0x7fbc325cc318]
avril 27 16:16:00 debian winbindd[2233]: [2016/04/27 16:16:00.971185, 0] ../source3/lib/dumpcore.c:318(dump_core)
avril 27 16:16:00 debian winbindd[2233]: dumping core in /var/log/samba/cores/winbindd
avril 27 16:16:00 debian winbindd[2233]:
- Печать
Страницы: [1] Вниз
Тема: Ввод Ubuntu 14.04LTS в домен Windows 2008 R2 (Прочитано 2834 раз)
0 Пользователей и 1 Гость просматривают эту тему.
bigAboo
Сделал дело — гуляй смело.
AnrDaemon
Вывод
samba-tool testparm --suppress-prompt
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
bigAboo
Вывод
samba-tool testparm --suppress-prompt
Сделал дело — гуляй смело.
AnrDaemon
Переименуйте smb.conf, создайте новый.
Оставьте только
[global]
dos charset = CP866
workgroup = VAOFIT
realm = VAOFIT.LOC
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config VAOFIT : range = 1500-99999
idmap config VAOFIT : schema_mode = rfc2307
idmap config VAOFIT : backend = ad
idmap config * : range = 100000-100999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
fisher74
AnrDaemon
Не последняя причина, почему я всегда отключаю аватары на форуме…
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
bigAboo
Переименуйте smb.conf, создайте новый.
Оставьте только[global]
dos charset = CP866
workgroup = VAOFIT
realm = VAOFIT.LOC
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config VAOFIT : range = 1500-99999
idmap config VAOFIT : schema_mode = rfc2307
idmap config VAOFIT : backend = ad
idmap config * : range = 100000-100999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
Cделал.
samba-tool testparm —suppress-prompt дает
[global]
dos charset = CP866
workgroup = VAOFIT
realm = VAOFIT.LOC
server string = %h server (Samba, Ubuntu)
server role = standalone server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = tdbsam
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
unix password sync = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config * : backend = tdb
idmap config * : range = 100000-100999
idmap config vaofit : backend = ad
idmap config vaofit : schema_mode = rfc2307
idmap config vaofit : range = 1500-99999
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
sudo net ads join -U admin -D VAOFIT дает
Using short domain name — VAOFIT
Joined ‘UBUNTUDESKTOP’ to dns domain ‘vaofit.loc’
DNS Update for ubuntudesktop.vaofit.loc failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL
Пользователь решил продолжить мысль 14 Января 2016, 12:56:05:
Не последняя причина, почему я всегда отключаю аватары на форуме…
Согасен 
Сделал дело — гуляй смело.
AnrDaemon
А, стоп. Стоп-стоп-стоп.
net ads testjoin
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
bigAboo
А, стоп. Стоп-стоп-стоп.
net ads testjoin
Failed to open /var/lib/samba/private/secrets.tdb
Join to domain is not valid: Access denied
Сделал дело — гуляй смело.
AnrDaemon
Ну почему постоянно надо напоминать про sudo? … 
Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.
Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…
bigAboo
Ну почему постоянно надо напоминать про sudo? …
fisher74,
Пользователь решил продолжить мысль 14 Января 2016, 13:54:14:
Ну почему постоянно надо напоминать про sudo? …
fisher74,
Join is OK
Гран Мерси! Продолжу с Winbind)
« Последнее редактирование: 14 Января 2016, 13:54:14 от bigAboo »
Сделал дело — гуляй смело.
- Печать
Страницы: [1] Вверх
You are here
Thomas — Thu, 2019/01/17 — 19:33
Hi, I am getting following error and have been stuck here:
root@fileserver ~# net ads join -U domainadmin Enter domainadmin's password: Using short domain name -- DOMAIN Joined 'FILESERVER' to dns domain 'FQDN' No DNS domain configured for fileserver. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER
Searched through many sites and tried numerous attempts without any luck. I have followed the Troubleshooting Samba Domain Members guide to the tee and no go:
- Added file server IP addresss and FQDN to /etc/hosts file: «192.168.1.16 fileserver.domain.example.com fileserver»
- Manually added an A pointer on the DNS server
- Tried both «Secure» and «Nonsecure and secure» settings in DNS Dynamic updates
- Ran dcdiag DnsDynamicUpdate test on AD DNS server and tested successful
- checked IP address of the DNS server is in /etc/resolv.conf
How do I troubleshoot this?
Здравствуйте!
Периодически сталкиваюсь с такой проблемой: в DNS почему то перестают регистрироваться записи A и PRT пользовательских компьютеров. В логах DHCP большое количество отказов:
…
31,10/05/11,10:17:52,DNS Update Failed,172.20.x.x,pc-xp.contoso.com,2,
30,10/05/11,10:17:52,DNS Update Request,x.x.20.172,pc-xp.contoso.com,,
…
В консоли DHCP видно, что Ip-адреса им выданы, но по логам (см.выше) в регистрации отказано. При этом, около половины компьютеров есть в DNS (по логам видно, что и те что сейчас зарегистрированы, им тоже отказывалось в регистрации).
С периодичностью час, происходит:
…
25,10/05/11,10:17:52,0 leases expired and 0 leases deleted,,,,
25,10/05/11,10:17:52,0 leases expired and 0 leases deleted,,,,
…
В свойствах области (DHCP) для DNS отмечено:
Enable DNS dynamic updates according to the settings below
Always dynamically update DNS A and PTR records (сейчас изменил на
Dynamically update DNS A and PTR records only if requested by the DHCP clients)
Djscard A and PTR records when lease is deleted
Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.01
Для зон (Forward/Reverse) в DNS выставлено: Nonsecure and secure.
У тех компьютеров, которым удалось зарегистрироваться в DNS, почему то не отмечен параметр
Update associated (PRT) record, ну и как следствие, этих компьютеров нет в Reverse Lookup Zones.
Есть предположение, что и самы ПК и DHCP пытаются зарегистрировать себя в DNS из-за чего и происходит неразбериха.
Перед тем, как обратиться к Вам, ознакомился с
«DHCP/DNS registration issues».
Домен на 2003 Ent. (уровень домена и леса — 2003). В инфраструктуре есть один контроллера домена 2008 R2 (русской версии). DHCP на 2003 Ent.
Уже была создана группа DnsUpdateProxy, в которую была включена учётная запись контроллера домена, который выполняет роль DHCP. Так же, в консоли DNS, в свойствах безопасности зон (Security) обнаружил, что для
Authenticate Users было разрешено толко чтение (добавил Write и Create All Child Objects).
К моменту дописания этой темы, компьютеры начали снова успешно регистрироваться ( в Forward больше, чем в Reverse). Помогите разобраться, что не так!
MCTS
-
Samba join active directory domain
Hello,
I’m trying to join a Windows domain with samba on an ubuntu 18.04 server and so far I didn’t get it to work.I’m able to do the kinit and I see the token with klist but when I try to join like this:
Code:
net ads join -U Administrator@d1.lan -d3
I get an error message
Code:
DNS Update for zfs1.d1.lan failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
With debug options, there’s a lot more details but I don’t see any information that could give a hint about what’s the problem.
If I don’t follow that procedure and install and use realm join, I can join just fine and I can see my Windows users so I know it’s possible. The problem in that case is that samba doesn’t seem to understand how to use that connection to do the authentication because the attempts to connect to a shared directory fails. It tries to connect as guest even when I explicitly provide username and password information from the Windows machine. If I add a user with smbpasswd then it works fine so the share itself is working.
The test environment is pretty simple, I have 1 Windows server 2019 that is used as AD and the client for testing the smb connection. I also have 1 Ubuntu 18.04 machine that I’m trying to just join to the domain.
I followed the procedure described in this document: https://discourse.ubuntu.com/t/service-sssd/11579
I’ll include a few of the key configuration files in case there’s a problem in one of them.
Code:
cat resolv.conf nameserver 192.168.0.60 domain d1.lan search d1.lan
Code:
cat hosts 127.0.0.1 localhost 192.168.0.40 zfs1.d1.lan zfs1
Code:
cat /etc/chrony/chrony.conf server 192.168.0.60 iburst keyfile /etc/chrony/chrony.keys driftfile /var/lib/chrony/chrony.drift logdir /var/log/chrony maxupdateskew 100.0 rtcsync makestep 1 3
Code:
# cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = D1.LAN [domain/D1.LAN] id_provider = ad access_provider = ad # Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as /root. Use with pam_mkhomedir.so override_homedir = /home/%u use_fully_qualified_names = False # Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostname = mymachine.myubuntu.example.com # Uncomment if DNS SRV resolution is not working # ad_server = dc.mydomain.example.com # Uncomment if the AD domain is named differently than the Samba domain # ad_domain = MYUBUNTU.EXAMPLE.COM # Enumeration is discouraged for performance reasons. # enumerate = true
Code:
cat /etc/samba/smb.conf [global] workgroup = D1 client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = D1.LAN security = ads log level = 3
Code:
cat /etc/krb5.conf [libdefaults] default_realm = D1.LAN kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] D1.LAN = { kdc = 192.168.0.60 admin_server = 192.168.0.60 } [domain_realm] .d1.lan = D1.LAN d1.lan = D1.LANLast edited by pg123; January 15th, 2020 at 03:17 PM.
Reason: Corrected the net ads join command
-
Re: Samba join active directory domain
With a DNS update failure, are you sure it is trying to resolve DNS from the remote AD server or is it trying to resolve it locally itself?
Also, you might need to ensure the FQDN of the AD/DNS server is resolvable from Ubuntu. Ubuntu knowing the IP might not be enough, it might require knowing the FQDN.
Sorry I can’t be much more help, all of my Linux boxes are silos to themselves and I consider them more secure by NOT joining Windows. (yeah yeah, I know, not as easy to admin centrally)
LHammonds
-
Re: Samba join active directory domain
Originally Posted by LHammonds
With a DNS update failure, are you sure it is trying to resolve DNS from the remote AD server or is it trying to resolve it locally itself?
I’m pretty sure. My resolv.conf points to the AD and if I dig I get an answer from it. Also, the linux machine is already in the AD DNS.
Code:
# dig ad1.d1.lan ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> ad1.d1.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28884 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;ad1.d1.lan. IN A ;; ANSWER SECTION: ad1.d1.lan. 3600 IN A 192.168.0.60 ;; Query time: 0 msec ;; SERVER: 192.168.0.60#53(192.168.0.60) ;; WHEN: Fri Jan 17 09:37:37 EST 2020 ;; MSG SIZE rcvd: 55 Originally Posted by LHammonds
Also, you might need to ensure the FQDN of the AD/DNS server is resolvable from Ubuntu. Ubuntu knowing the IP might not be enough, it might require knowing the FQDN.
That seems to resolve correctly for both the client and server. I can ping both with the fullname or shortname.
Code:
# ping -c1 ad1.d1.lan PING ad1.d1.lan (192.168.0.60) 56(84) bytes of data. 64 bytes from 192.168.0.60: icmp_seq=1 ttl=128 time=0.303 ms --- ad1.d1.lan ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.303/0.303/0.303/0.000 ms # ping -c1 zfs1.d1.lan PING zfs1.d1.lan (192.168.0.40) 56(84) bytes of data. 64 bytes from zfs1.d1.lan (192.168.0.40): icmp_seq=1 ttl=64 time=0.018 ms --- zfs1.d1.lan ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.018/0.018/0.018/0.000 ms
Originally Posted by LHammonds
Sorry I can’t be much more help, all of my Linux boxes are silos to themselves and I consider them more secure by NOT joining Windows. (yeah yeah, I know, not as easy to admin centrally)
I have a few hundred users in the AD that will need access to the file servers. I don’t think creating local samba accounts for each of them on all of our server would be easy, unless there’s another way to go about it.
Thanks for the input.
-
Re: Samba join active directory domain
On the test setup I have, eth0 is an ip address that allows for the system updates and package installation and eth1 is the internal network where the communication between client and server should be done.
For some reason, it seems that having eth0 up was causing the problem.
Since this is a test environment, I install all my updates and packages and I shut eth0 down before trying to join the domain and that seems to work.
-
Re: Samba join active directory domain
Ah, so it was a multi-nic routing issue. While eth0 was active, traffic was trying to route through that gateway?
Originally Posted by LHammonds
Не пускает в домен (samba+kerberos)
Модератор: SLEDopit
-
Tiarasu
- Сообщения: 64
- ОС: Fedora 11
Не пускает в домен
Очень хочется попасть в линукс (Fedora) под учеткой из домена.
Есть самба. /etc/samba/smb.conf вот (регистр совпадает):
[smb.conf]
Код:
[global]
workgroup = DOMAIN
netbios name = Fedoric
security = ads
# ads server = my.domain.com
realm = MY.DOMAIN.COM
# realm = DOMAIN
password server = *
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
# winbind separator =
template homedir = /home/%D/%U
template shell = /bin/bash
allow trusted domains = no
[Svalka]
comment = Upload
path = /mnt/win_e/Svalka
browseable = yes
valid users = @DOMAINdomain_users
read only = No
create mask = 0666
directory mask = 0777
есть kerberos. Вот /etc/krb5.conf
Код: Выделить всё
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[realms]
DOMAIN = {
kdc = MY.DOMAIN.COM:88
admin_server = MY.DOMAIN.COM:749
default_domain = DOMAIN
}
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
MY.DOMAIN.COM = MY.DOMAIN.COMСо всеми этими делами удалось втащить комптьтер в домен (net join отработал. Не сразу, но все же). Однако когда через GUI пытаюсь залогиниться (DOMAINuser затем password) — unable authenticate user.
Не подскажете, что я делаю не так?
-
nacmyx
- Сообщения: 101
- ОС: centos
Re: Не пускает в домен
Сообщение
nacmyx » 05.08.2008 23:47
Покажи выданные тикеты. Попробуй посмотреть в логи. Обычно делаю так — стопаю все с чем связано, очищаю все логи, запускаю как должно быть, пробую чего надобно, получаю отлуп, стопаю все что назапускал. И курю логи. Замечательно если в логе пишется время.
от бабусь есть польза — они иногда умирают
-
Tiarasu
- Сообщения: 64
- ОС: Fedora 11
Re: Не пускает в домен
Сообщение
Tiarasu » 06.08.2008 12:21
Выданные тикеты (насколько я знаю — команда klist) выдает следующее:
user@host
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MY.DOMAIN.COM
Valid starting Expires Service principal
08/05/08 14:29:15 08/06/08 00:29:25 krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM
renew until 08/06/08 14:29:15
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
iptables отключен.
Еще такой вопрос — как посмотреть, какие процессы запущены? И как посмотреть состояние определенного процесса?
Вопросы новичковые но ведь и тема соответствующая…
Кроме того, перестал выдавать ответ на команды wbinfo -g и wbinfo -u. wbinfo -p — проходит без проблем.
Обновить сертификат не дает:
user@host
# kinit user@MY.DOMAIN.COM
kinit(v5): Cannot resolve network address for KDC in realm MY.DOMAIN.COM while getting initial credentials
Вероятно, либо процесс какой-то мешает, либо снова неверно настроен /etc/krb5.conf
ЗЫ Я правильно оформляю сообщение? 
-
nacmyx
- Сообщения: 101
- ОС: centos
Re: Не пускает в домен
Сообщение
nacmyx » 06.08.2008 14:55
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5/krb5libs.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
[libdefaults]
default_realm = SRC.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
SRC.LOCAL = {
kdc = krb.src.local:88
admin_server = krb.src.local:750
default_domain = src.local
}
[domain_realm]
.src.local = SRC.LOCAL
src.local = SRC.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = disable
kdc_tcp_ports = 88
[realms]
SRC.LOCAL = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
ps ax | grep kerb
1801 ? Ss 0:00 /usr/kerberos/sbin/kadmind
1816 ? Ss 0:00 /usr/kerberos/sbin/krb524d -m
1834 ? Ss 0:00 /usr/kerberos/sbin/krb5kdc
24863 pts/3 S+ 0:00 grep kerb
cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
172.16.27.4 krb.src.local
cat /etc/resolv.conf
search src.local
nameserver 192.168.10.11
nameserver 192.168.10.10
cat /etc/host.conf
order hosts,bind
[root@krb etc]#
вариант — глянуть nslookup MY.DOMAIN.COM
ибо не резолвится
от бабусь есть польза — они иногда умирают
-
Tiarasu
- Сообщения: 64
- ОС: Fedora 11
Re: Не пускает в домен
Сообщение
Tiarasu » 06.08.2008 15:51
nacmyx писал(а): ↑
06.08.2008 14:55
вариант — глянуть nslookup MY.DOMAIN.COM
ибо не резолвится
Не резолвится (( Глянул.
user@host
# nslookup MY.DOMAIN.COM
;; connection timed out; no servers could be reached
nacmyx писал(а): ↑
06.08.2008 14:55
ps ax | grep kerb
1801 ? Ss 0:00 /usr/kerberos/sbin/kadmind
1816 ? Ss 0:00 /usr/kerberos/sbin/krb524d -m
1834 ? Ss 0:00 /usr/kerberos/sbin/krb5kdc
24863 pts/3 S+ 0:00 grep kerb
Здесь ответ тоже другой.
user@host
# ps ax | grep kerb
4117 pts/1 S+ 0:00 grep kerb
Вот как то так. С остальным — иду копать.
Подскажите пожалуйста, как получить список запущенных процессов и состояние одного отдельно взятого процесса?
И еще, что значит это: «.LOCAL»? Значит ли это что после имени домена вида MOSCOW.DOMAIN.COM надо добавлять эту LOCAL? Или хватит просто имени домена? Интересуюсь, потому что не первый раз вижу…
PS
nacmyx писал(а): ↑
06.08.2008 14:55
cat /var/kerberos/krb5kdc/kdc.conf
нет такого файла. locate выдает нечто подобное по пути /usr/kerberos/share/examples/krb5/kdc.conf
krb5.config переделал, только два вопроса.
nacmyx писал(а): ↑
06.08.2008 14:55
dns_lookup_realm = true
dns_lookup_kdc = true
Для чего эти строчки? И
nacmyx писал(а): ↑
06.08.2008 14:55
[realms]
SRC.LOCAL = {
kdc = krb.src.local:88
admin_server = krb.src.local:750
default_domain = src.local
}
точно ли надо указывать в kdc и admin_server именно сервак, а не realm?
-
Tiarasu
- Сообщения: 64
- ОС: Fedora 11
Re: Не пускает в домен
Сообщение
Tiarasu » 06.08.2008 19:30
nacmyx писал(а): ↑
06.08.2008 14:55
cat /etc/resolv.conf
search src.local
nameserver 192.168.10.11
nameserver 192.168.10.10
Большое спасибо, тут собака порылась. Отредактировал конфиг — все отрезолвил, теперь я в домене. Хоть и проругался, на что — до конца не понял.
user@host
# net ads join -U user
Enter user's password:
Using short domain name -- DOMAIN_MY_01
Joined 'FEDORIC' to realm 'my.domain.com'
[2008/08/06 19:12:07, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password FEDORIC$@my.domain.com failed: KDC reply did not match expectations
No DNS domain configured for fedoric. Unable to perform DNS Update.
DNS update failed!
Это критично? И еще вопрос, насколько критично что тикет кербероса я получал одним юзером, а в домен вводил машину другим?
ЗЫ Если быть точным, то не я, а машина в домене. А через Gnome зайти так и не удается. Пытаюсь логиниться через короткое имя домена DOMAIN_MY_01user , затем password. Сначала отвечает «no logon servers», затем привычное unable authenticate user . Может быть я не доредактировал какой-то конфиг Gnome?
-
nacmyx
- Сообщения: 101
- ОС: centos
Re: Не пускает в домен
Сообщение
nacmyx » 06.08.2008 21:55
Подозреваю что ДНС апдейтится не просто так — внимательно курим логи и конфиги самбыад.
Список процессов через ps, возможно с кучей ключей. Смотрите ман к своему дистру.
Мой домен = src.local
Строчки с dns_ где смотреть krb.src.local. В варианте с неблагоприятным окружением не брать с ДНСа айпи, а сразу пробить его в хостс.
Настоятельно рекомендую почитать доки для вашего кербероса.
Админ сервер это админ сервер. Читаем предыдущую строчку, ибо писать доку здесь нет времени.
от бабусь есть польза — они иногда умирают
-
Tiarasu
- Сообщения: 64
- ОС: Fedora 11
Re: Не пускает в домен
Сообщение
Tiarasu » 07.08.2008 20:39
Большое спасибо за неоценимую помощь! Она все-таки пытается загрузиться в Gnome. Правда показывает пока только синий экран, и все. Ушел курить логи 
-
7true
- Сообщения: 1
- ОС: debian lenny
Re: Не пускает в домен
Сообщение
7true » 14.08.2008 10:12
«»»»No DNS domain configured for fedoric. Unable to perform DNS Update.
DNS update failed!»»»
если контроллер домена виндосный, то
для исправления необходимо в windows зайти в dnsmgmt и там создать новый узел с именем linux машины с галочкой
Разрешить любому прошедшему проверку пользователю обновлять DNS записи с таким же именем владельца
-
nacmyx
- Сообщения: 101
- ОС: centos
Re: Не пускает в домен
Сообщение
nacmyx » 14.08.2008 11:03
А если контроллер невиндозный, то настроить обновлятор. Там надо ключик-пароль и в конфиге намеда прописать мол кто-то с таким ключем придет и поменяет.
от бабусь есть польза — они иногда умирают