Page 19 of 21 FirstFirst ... 91718192021 LastLast
Results 181 to 190 of 209

Thread: HOWTO: Active Directory Authentication

  1. #181
    Join Date
    Dec 2008
    Beans
    2
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: HOWTO: Active Directory Authentication

    I'm also having exactly the same issue as DouglasK. I've followed this doc exactly:

    https://help.ubuntu.com/community/Ac...ryWinbindHowto

    Anybody have any suggestions or solutions here?

  2. #182
    Join Date
    Aug 2006
    Beans
    4

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by lukekurtis View Post
    I'm also having exactly the same issue as DouglasK. I've followed this doc exactly:

    https://help.ubuntu.com/community/Ac...ryWinbindHowto

    Anybody have any suggestions or solutions here?
    Here's how I resolved the problem on my computer:

    1. Add the IP of the Windows DNS server to /etc/resolv.conf (you may wish to edit the network settings normally. I tend to 'hack')

    2. Use "net ads join -U {username}" ... whenever I specified the computer or domain after the username, it said it could not look up the DC.

    HTH

  3. #183
    Join Date
    Dec 2005
    Location
    Skopje, Macedonia
    Beans
    15
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by slamp View Post
    great tutorial! i have now joined my ubuntu server into my domain. i do have a question.

    how do i setup multiple groups in a folder in linux?

    i want groups that can read/write and groups that can only read.

    so far i have setup a group in active directory and made to be able to read and write to the samba share, but i do not know of anyway to make another one that can only read.

    You can solve this in guru manner rather than groups, since your result should be one write and one read group.

    Make 2 new user domains name them for example

    domain user: readonly
    domain user: readwrite

    on shared resources add them to advanced secuirity and on readonly user deny write delete and create directory, and readwrite give full control.

    Use this users only for mounting shares from windows resources on ubuntu box, and let them log in authenticate with their own user ex: bobby, pass bobby.

  4. #184
    Join Date
    Aug 2006
    Beans
    4

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by Daga View Post
    Here's how I resolved the problem on my computer:

    1. Add the IP of the Windows DNS server to /etc/resolv.conf (you may wish to edit the network settings normally. I tend to 'hack')

    2. Use "net ads join -U {username}" ... whenever I specified the computer or domain after the username, it said it could not look up the DC.
    And... I've run into this problem another way. The error is caused when the "net ads join" command is unable to look up a DNS/WINS entry for _ldap._tcp.dc._msdcs.YOUR.DOMAIN (try running the command with "-d 3", you'll see what I'm talking about).

    The first time I apparently set up the Windows DNS server correctly so the problem was in talking to the server. The second time I didn't, and the Windows server was confused. Make sure that on the DNS server you have "Forward Lookup Zones" -> "_msdcs.YOUR.DOMAIN" -> "dc" -> "_tcp". If not, try the instructions located here:

    http://support.microsoft.com/kb/817470

  5. #185
    Join Date
    Apr 2009
    Beans
    1

    Re: HOWTO: Active Directory Authentication

    Hi, the How to is really good, but I am not succeeding at logging the Active Directory. Its everything allright up to the time I do the "net ads join -U administrador". After I enter the pass the terminal gives me this:

    root@sistemasubuntu:/home/leo# net ads join -U administrador
    Enter administrador's password:
    Failed to join domain: failed to lookup DC info for domain 'CANUDASSUC1.COM.AR' over rpc: The network name cannot be found

    I've tried everything, with the domain, with the realm, everything.
    But if I enter "rpc" instead of "ads" then I receive "Joined domain CANUDASSUC1." (Which is ok). But it has no positive reaccions, I cannot enter the net.

    The domain controller is a W2K one.

    Here's my smb.conf:
    [global]
    workgroup = CANUDASSUC1
    realm = CANUDASSUC1.COM.AR
    server string = Samba file and print server
    bind interfaces only = Yes
    security = ADS
    update encrypted = Yes
    client schannel = No
    server schannel = No
    null passwords = Yes
    obey pam restrictions = Yes
    password server = cabas101.canudassuc1.com.ar
    guest account = smbguest
    passwd program = /usr/bin/passwd '%u'
    passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd*changed*\n
    passwd chat timeout = 120
    password level = 6
    username level = 6
    unix password sync = Yes
    log file = /var/log/samba/samba.log
    max log size = 1000
    smb ports = 135 445 139
    name resolve order = wins lmhosts bcast
    client signing = No
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    printcap name = cups
    machine password timeout = 120
    add user script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null '%u'
    delete user script = /usr/sbin/userdel '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u'
    delete user from group script = /usr/sbin/userdel '%u' '%g'
    add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u'
    logon script = %G.bat
    logon path = \\%L\profiles\%u
    logon drive = m:
    logon home = \\%L\homes\%u
    os level = 33
    local master = No
    domain master = No
    dns proxy = No
    wins server = 192.168.2.1
    ldap ssl = no
    remote announce = 192.168.2.1
    remote browse sync = 192.168.2.1
    idmap uid = 500-10000000
    idmap gid = 500-10000000
    template shell = /bin/bash
    winbind separator = +
    winbind cache time = 360
    winbind use default domain = Yes
    winbind trusted domains only = Yes
    winbind nested groups = No
    winbind nss info = no
    guest ok = Yes
    hosts allow = 127., 192.168.2.
    cups options = raw
    follow symlinks = No

    [homes]
    comment = Home Directories
    path = /home
    read only = No
    locking = No
    share modes = No

    [netlogon]
    comment = Network Logon Service
    path = /home/netlogon
    read only = No
    locking = No
    share modes = No

    PLEASE HELP ME!!

  6. #186
    Join Date
    Jun 2006
    Beans
    30

    Re: HOWTO: Active Directory Authentication

    OK, after some struggling, I found a maybe helpful thing to check if it isn't working right away:

    I did a
    Code:
    net ads testjoin
    and always got a message like
    Code:
    [2009/08/26 13:47:10, 0] libads/kerberos.c:ads_kinit_password(228)
      kerberos_kinit_password SEWER$@MAIN.LOCAL failed: Client not found in Kerberos database
    [2009/08/26 13:47:10, 0] libads/kerberos.c:ads_kinit_password(228)
      kerberos_kinit_password SEWER$@MAIN.LOCAL failed: Client not found in Kerberos database
    Join to domain is not valid: Improperly formed account name
    Apparently, the administrator password cannot be empty!

    I created a new domadm account with a password (in this test server, a lot of services depend on the 'administrator' user and its (empty) password, so I didn't want to break stuff by just putting a password there.
    When using the domadm user for joining etc, it all works.

    wbinfo -n on an AD user gives me the info from the windows server.

    Just for your convenience: if it gives you an error like the above, check if your administrative user does have a password set...
    Bram Kortleven
    Ubuntu Enthusiast
    Technology 'Freak'
    www.bramkortleven.be

  7. #187
    Join Date
    Jun 2006
    Beans
    30

    Re: HOWTO: Active Directory Authentication

    @ Leoembon:

    check if your /etc/hosts file contains an entry to resolve the AD servers' name to its IP...
    Do a ping on the name you set in /etc/krb5.conf file's admin_server entry to check if it resolves correctly.

    I had a similar issue before, and that did the trick for me.
    Bram Kortleven
    Ubuntu Enthusiast
    Technology 'Freak'
    www.bramkortleven.be

  8. #188
    Join Date
    May 2009
    Location
    Lisbon, Portugal
    Beans
    239
    Distro
    Xubuntu 11.10 Oneiric Ocelot

    Re: HOWTO: Active Directory Authentication

    Hi

    http://www.likewise.com/

    Just a nice tool also
    "We are the middle children of history, man. No purpose or place. We have no great war, no great depression. Our great war is a spiritual war."

  9. #189
    Join Date
    May 2005
    Beans
    1

    Re: HOWTO: Active Directory Authentication

    Great tutorial! After following the initial tutorial and configuring NTP, my machine is able to authenticate against AD.

    I do have one issue still. Authentication works great for any user unless they are required to change their password. I've been testing using SSH, and get the following output:

    Code:
    WARNING: Your password has expired.
    You must change your password now and login again!
    passwd: Authentication token manipulation error
    passwd: password unchanged
    Connection to _computer-name_ closed.
    Any ideas? Once this is working, I'll be completely set. Thanks!

  10. #190
    Join Date
    Nov 2009
    Beans
    2

    Re: HOWTO: Active Directory Authentication

    Hi. may be not the right place to post, but... I want to integrate test machine with ubuntu installed to authenticate with ADS..find some guide here http://www.ubuntugeek.com/how-to-int...in-ubuntu.html but obviously smth there was wrong and now i can't logon on even with local accounts.. i think
    problem is in pam modules


    Modify the PAM settings

    • /etc/pam.d/common-account should contain only the following lines

    account sufficient pam_winbind.so
    account required pam_unix.so

    • /etc/pam.d/common-auth should contain only the following lines

    auth sufficient pam_winbind.so
    auth required pam_unix.so nullok_secure use_first_pass

    • Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

    password required pam_unix.so nullok obscure min=4 max=50 md5

    • Make sure the /etc/pam.d/common-session file contains the following line

    session required pam_mkhomedir.so umask=0022 skel=/etc
    Make a directory to hold domain user home directories
    Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
    mkdir -p /home/DOMAIN






    Any help is appreciated...Thank you!

Page 19 of 21 FirstFirst ... 91718192021 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •