Page 2 of 21 FirstFirst 123412 ... LastLast
Results 11 to 20 of 209

Thread: HOWTO: Active Directory Authentication

  1. #11
    Join Date
    Aug 2005
    Location
    Lancaster, PA USA
    Beans
    97
    Distro
    Ubuntu 6.10 Edgy

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by derelict
    Greetings,

    I followed the howto step by step but I'm getting "kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials" when I run "kinit Administrator@home.brr". However, I can nslookup the computer I specified on "[realms] kdc" (it's both the AD PDC and DNS server). What can I be doing wrong?

    Thanks in advance



    In your case DOMAIN is uinimaas and DOMAIN.INTERNAL is uinimaas.nl

    Are you using home.brr or HOME.BRR. Caps is required.

  2. #12
    Join Date
    Jan 2006
    Location
    Portugal
    Beans
    34

    Re: HOWTO: Active Directory Authentication

    Yes, all references of "home.brr" on the krb5.conf file were on capital letters as shown by the HOWTO, I keep getting that error
    I can ldapsearch the AD server and obtain user info without any problem.

  3. #13
    Join Date
    Aug 2005
    Location
    Lancaster, PA USA
    Beans
    97
    Distro
    Ubuntu 6.10 Edgy

    Re: HOWTO: Active Directory Authentication

    There were two things not mentioned in this how to that could possibly cause isssues for some people. Derelict, can you check the below out.

    1) /etc/hosts isn't edited. The default ubuntu installation would give you
    Code:
    127.0.0.1     localhost.localdomain     localhost     ubuntu
    That should be modified to include the domain that you are joining. It should look more like this
    Code:
    127.0.0.1      FQDN      localhost       pc name
    Example using domain from the how to with pc name of "test"
    Code:
    127.0.0.1     test.domain.internal     localhost     test
    suggest a reboot after that to ensure no naming conflicts anywhere.

    2)syncing time with the domains NTP server
    the /etc/default/ntpdate file should be edited to reflect the FQDN of your ntp server (usually your domain controller)

    Again using the domain from the how-to, modify as needed.

    Code:
    # servers to check
    NTPSERVERS="domainserver.domain.internal"
    # additional options for ntpdate
    NTPOPTIONS="-u"
    Then restart the service
    Code:
    sudo /etc/init.d/ntpdate restart
    Kerberos won't give you a ticket if the times are too far apart between the DC and the PC

  4. #14
    Join Date
    Jan 2006
    Location
    Portugal
    Beans
    34

    Re: HOWTO: Active Directory Authentication

    OK, it looks like it's making progress
    I changed the hosts file to
    "127.0.0.1 ubuntu.home.brr localhost ubuntu"
    and I'm now getting
    "kinit(v5): KDC has no support for encryption type while getting initial credentials"

    Here's the [libdefault] section of my krb5.conf, up to the [realms] section:
    Code:
    ticket_lifetime = 24000
    default_realm = HOME.BRR
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
    I'm running AD on a 2003 Server, should I change the enctypes? The time difference between hosts was already below 30 seconds, it had occured to me before that Kerberos needed some time sync.

  5. #15
    Join Date
    Jan 2006
    Location
    Portugal
    Beans
    34

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by derelict
    I'm now getting
    "kinit(v5): KDC has no support for encryption type while getting initial credentials"
    I solved it by resetting the Administrator password It looks like I now have a Kerberos ticket already, I'll post back the whole result (hopefully successful!)

    Thanks steve

  6. #16
    Join Date
    Jan 2006
    Location
    Portugal
    Beans
    34

    Re: HOWTO: Active Directory Authentication

    OK, I successfuly added the computer to the realm, thanks for all the help so far! However, I was aiming at being able to login with an AD user via the graphical startup prompt; do I have to edit /etc/pam.d/gdm?

    Thanks in advance!

  7. #17
    Join Date
    Aug 2005
    Location
    Lancaster, PA USA
    Beans
    97
    Distro
    Ubuntu 6.10 Edgy

    Re: HOWTO: Active Directory Authentication

    Following this how to should allow you to log in with an AD account. There are three main ways to login, based on editing the smb.conf.
    As it is set now, you should be able to login with just username password. The line
    Code:
     winbind use default domain = yes
    will have winbind assume all logins are from the default domain.

    If you set that to no, or comment it out, you would need to prepend the username with the domain. The winbind seperator determines which character goes between the domain and username.
    Code:
    winbind separator = +
    If you copied this smb.conf, it would be:
    DOMAIN+username (ensure caps in domain)

    The default (read, commenting out that line with a #) is backslash, so it would be:
    DOMAIN\username (caps again).

    BTW you're welcome, love to help when I can.

  8. #18
    Join Date
    Jan 2006
    Location
    Portugal
    Beans
    34

    Re: HOWTO: Active Directory Authentication

    Once again you got it
    It's logging in perfectly, I'm now working on changing the AD password via Linux (smbpassword, correct?) and getting it to create the user directory (/home/domain/user) with 700 permissions. Thanks!

  9. #19
    Join Date
    Dec 2005
    Beans
    28
    Distro
    Kubuntu Breezy 5.10

    Re: HOWTO: Active Directory Authentication

    Just to add I used SADMS to successfully do all the legwork on the .conf files and it works fairly well. You have to read the documentation very carefully and follow everything to the letter, but you will end up with a Ubuntu box that can log in to the domain just like any XP machine.

    It will also configure the previously unmentioned pammount file to allow each user to automatically link to shares on the Windows server. This works best if your user files are all in one directory and are all named after the login name.

    Edited to add:
    After updating the Linux kernel image, the AD logins refused to work. Running the SADMS configuration did the trick, but it was a scary moment.

    Your SADMS settings file should read like the following:

    Code:
    # My Settings
    
    realm=MY.FQDN.IN.CAPS
    dns=your.dns.server.with.FQDN
    kdc=yourkerberosservername (must be DNS resolvable)
    domain=DOMAINNAMEINCAPS (just the root name, eg for google.com you would just enter GOOGLE)
    server=localhost NETBIOS name, default is ubuntu or linux
    hostOu=Computers (or whichever AD unit you want the system to be listed)
    administrator=administrator
    administratorPassword=yourpassword (no need to save this in plain text, you can enter it within SADMS!)
    users=domain users (or whatever you prefer the default users to be)
    hostsAllow=10.
    winsServer=IP.address.of.yourWINSserver
    Last edited by zachariah; January 19th, 2006 at 12:29 PM.

  10. #20
    Join Date
    Jan 2006
    Location
    Rotterdam
    Beans
    61
    Distro
    Ubuntu

    Re: HOWTO: Active Directory Authentication

    Thanks for this great howto, exactly what I needed!

    Arie

Page 2 of 21 FirstFirst 123412 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •