Page 20 of 21 FirstFirst ... 1018192021 LastLast
Results 191 to 200 of 209

Thread: HOWTO: Active Directory Authentication

  1. #191
    Join Date
    Jul 2007
    Location
    South San Francisco, CA
    Beans
    400
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HOWTO: Active Directory Authentication

    I just got an Ubuntu 9.10 box to authenticate to AD.

    Here's what I did. (Before changing any of the files mentioned below, make sure to create a backup copy to save yourself future headache.)

    • Code:
      sudo aptitude install likewise-open-gui

    • Modify /etc/hosts, added entry for the domain controller, use FQDN (fully qualified domain name) ie, server.domain.local

    • Verify that the hostname of Ubuntu box doesn't contain special characters, check /etc/hostname, if it did make sure the /etc/hosts file is corrected

    • Modify connection manager to dhcp(address only) and added Domain Controller in DNS Server field

    • Modify /etc/sudoers file to add AD domain admins to sudoers.
      Add to the bottom of the file
      %your_fqdn_here\\Domain^Admins ALL=(ALL) ALL

    • Modify /etc/samba/lwiauthd.conf, add to the bottom
      winbind use default domain = yes
      to have AD member use only their username and not "your_fqdn\username"

    • Modify /etc/nsswitch.conf, change the line the refers to hosts to
      hosts: files dns

    • Using likewise-open, add the computer to the domain. Be sure to use the full domain name, ie, domain.local.

    • Reboot and your AD members should be able to authenticate to the the DC, using the Ubuntu box. In addition, your AD admins should be able to administer the Ubuntu box.



    A thank you goes out to Likewise-open and these folks for their help.
    http://anothersysadmin.wordpress.com...in-ubuntu-804/
    Laptop: CPU: Intel i5 430m RAM: 4gb DDR3 GPU: Ethernet: Broadcom BCM57780 WiFi: Atheros AR928X
    Desktop:

  2. #192
    Join Date
    Nov 2009
    Beans
    3

    Re: HOWTO: Active Directory Authentication

    Hi,

    I've configured (kerberos, samba, pam) on my profesional ubuntu box (Karmic Koala 64bits) to be able to join my enterprise active directory.

    It works fine (ie when I start nautilus and I click on a windows shares, no password is required) when I :

    1. start my session
    2. open a terminal, type kinit and give my domain password

    Without this second action, a password is asked for any share acceded. I think that it's not the normal process.

    When I look the file /var/log/samba.log.winbindd, I can see :
    Kinit failed: Client not found in Kerberos database
    I have also the following message :
    Could not receive trustdoms
    How may I correct my configuration to access windows shares without any domain password during my session ?

    Thanks,
    Michel

  3. #193
    Join Date
    Apr 2005
    Location
    Melbourne, Australia
    Beans
    13
    Distro
    Ubuntu Intrepid Ibex (testing)

    Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by cg88 View Post
    Great tutorial! After following the initial tutorial and configuring NTP, my machine is able to authenticate against AD.

    I do have one issue still. Authentication works great for any user unless they are required to change their password. I've been testing using SSH, and get the following output:

    Code:
    WARNING: Your password has expired.
    You must change your password now and login again!
    passwd: Authentication token manipulation error
    passwd: password unchanged
    Connection to _computer-name_ closed.
    Any ideas? Once this is working, I'll be completely set. Thanks!
    Just bumped into this problem myself. The answer lies in /etc/pam.d/common-password - add the line:

    Code:
    password	[success=2 default=ignore]	pam_winbind.so
    to the top of the default common-password file.

    Note the warning here about changing domain passwords using this technique.

  4. #194
    Join Date
    Jun 2008
    Location
    Centurion, South Africa
    Beans
    80
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: HOWTO: Active Directory Authentication

    Thanks Saghaulor, already had the likewise-open-gui installed.

    Also, the line
    Modify /etc/samba/lwiauthd.conf, add to the bottom
    did not count for me, as I did not have that file on my system, so I ignored it.

    Now I can authenticate on the AD domain, and access the relevant shares.

    B

  5. #195
    Join Date
    Feb 2010
    Beans
    2

    Re: HOWTO: Active Directory Authentication

    Please help me something which can get integrated my ADS with FTP

  6. #196
    Join Date
    Feb 2010
    Beans
    2

    Question Re: HOWTO: Active Directory Authentication

    Quote Originally Posted by jeevanpk View Post
    Please help me something which can get integrated my ADS with FTP

  7. #197
    Join Date
    Feb 2010
    Beans
    4

    Re: HOWTO: Active Directory Authentication

    Dear Experts!

    First, excuse me for my English.
    There is local Linux machine wich I have cofigured kerberos and ldap - kinit and ldapsearch are working.
    Ldapsearch works like this:
    ldapsearch -v -x -D CN=user,CN=Users,DC=domain -W -LLL "(cn=user)"
    ldap_initialize( <DEFAULT> )
    Enter LDAP Password:
    filter: (cn=user)
    requesting: All userApplication attributes
    dn: CN=user,CN=Users,DC=domain
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: user
    distinguishedName: CN=user,CN=Users,DC=domain
    instanceType: 4
    whenCreated: 20071003134645.0Z
    whenChanged: 20100212095526.0Z
    displayName:: 0J/QtdGA0LXQutGA0LXRgdGC0L7QsiDQkNC90LTRgNC10Lkg0J/QtdGC0YDQ vtCy
    0LjRhw==
    uSNCreated: 389673
    memberOf: CN=group,CN=Users,DC=domain
    uSNChanged: 44764302
    name: user
    objectGUID:: TTTD/aBhEE6PxsIlWWxZoA==
    userAccountControl: 66048
    badPwdCount: 0
    codePage: 0
    countryCode: 0
    homeDirectory: \\server\users\personal\user
    homeDrive: Z:
    badPasswordTime: 129104512781569552
    lastLogoff: 0
    lastLogon: 129110472236388768
    pwdLastSet: 128880768398237296
    primaryGroupID: 513
    objectSid:: AQUAAAAAAAUVAAAAVnD5YpbP+W9E8DV3OXwAAA==
    accountExpires: 0
    logonCount: 733
    sAMAccountName: user
    sAMAccountType: 805306368
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain
    lastLogonTimestamp: 129104421266577456
    "
    And with "(cn=*)" I can view all AD users on Windows server (like any other AD user).

    But "$ ssh user@localhost" gives:
    "
    sshd[7005]: nss_ldap: could not search LDAP server - Server is unavailable
    sshd[7005]: Invalid user user from 127.0.0.1
    sshd[7010]: pam_krb5[7010]: default/local realm 'DOMAIN'
    sshd[7010]: pam_krb5[7010]: configured realm 'DOMAIN'
    sshd[7010]: pam_krb5[7010]: flag: debug
    sshd[7010]: pam_krb5[7010]: flags: forwardable not proxiable
    sshd[7010]: pam_krb5[7010]: flag: no ignore_afs
    sshd[7010]: pam_krb5[7010]: flag: no null_afs
    sshd[7010]: pam_krb5[7010]: flag: user_check
    sshd[7010]: pam_krb5[7010]: flag: no krb4_convert
    sshd[7010]: pam_krb5[7010]: flag: krb4_convert_524
    sshd[7010]: pam_krb5[7010]: flag: krb4_use_as_req
    sshd[7010]: pam_krb5[7010]: will try previously set password first
    sshd[7010]: pam_krb5[7010]: will let libkrb5 ask questions
    sshd[7010]: pam_krb5[7010]: flag: use_shmem
    sshd[7010]: pam_krb5[7010]: flag: external
    sshd[7010]: pam_krb5[7010]: flag: warn
    sshd[7010]: pam_krb5[7010]: ticket lifetime: 43200s (0d,12h,0m,0s)
    sshd[7010]: pam_krb5[7010]: renewable lifetime: 86400s (1d,0h,0m,0s)
    sshd[7010]: pam_krb5[7010]: minimum uid: 1
    sshd[7010]: pam_krb5[7010]: banner: Kerberos 5
    sshd[7010]: pam_krb5[7010]: ccache dir: /tmp
    sshd[7010]: pam_krb5[7010]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
    sshd[7010]: pam_krb5[7010]: keytab: FILE:/etc/krb5.keytab
    sshd[7010]: pam_krb5[7010]: token strategy: v4,524,2b,rxk5
    sshd[7010]: pam_krb5[7010]: pam_authenticate called for 'user', realm 'DOMAIN'
    sshd[7010]: nss_ldap: could not search LDAP server - Server is unavailable
    sshd[7010]: pam_krb5[7010]: error resolving user name 'user' to uid/gid pair
    sshd[7010]: pam_krb5[7010]: error getting information about 'user'
    sshd[7010]: nss_ldap: could not search LDAP server - Server is unavailable
    "
    And after password input:
    "
    sshd[7142]: error: PAM: Authentication failure for illegal user user from localhost
    sshd[7142]: Failed keyboard-interactive/pam for invalid user user from 127.0.0.1 port 45307 ssh2
    sshd[7148]: pam_krb5[7148]: default/local realm 'DOMAIN'
    sshd[7148]: pam_krb5[7148]: configured realm 'DOMAIN'
    sshd[7148]: pam_krb5[7148]: flag: debug
    sshd[7148]: pam_krb5[7148]: flags: forwardable not proxiable
    sshd[7148]: pam_krb5[7148]: flag: no ignore_afs
    sshd[7148]: pam_krb5[7148]: flag: no null_afs
    sshd[7148]: pam_krb5[7148]: flag: user_check
    sshd[7148]: pam_krb5[7148]: flag: no krb4_convert
    sshd[7148]: pam_krb5[7148]: flag: krb4_convert_524
    sshd[7148]: pam_krb5[7148]: flag: krb4_use_as_req
    sshd[7148]: pam_krb5[7148]: will try previously set password first
    sshd[7148]: pam_krb5[7148]: will let libkrb5 ask questions
    sshd[7148]: pam_krb5[7148]: flag: use_shmem
    sshd[7148]: pam_krb5[7148]: flag: external
    sshd[7148]: pam_krb5[7148]: flag: warn
    sshd[7148]: pam_krb5[7148]: ticket lifetime: 43200s (0d,12h,0m,0s)
    sshd[7148]: pam_krb5[7148]: renewable lifetime: 86400s (1d,0h,0m,0s)
    sshd[7148]: pam_krb5[7148]: minimum uid: 1
    sshd[7148]: pam_krb5[7148]: banner: Kerberos 5
    sshd[7148]: pam_krb5[7148]: ccache dir: /tmp
    sshd[7148]: pam_krb5[7148]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
    sshd[7148]: pam_krb5[7148]: keytab: FILE:/etc/krb5.keytab
    sshd[7148]: pam_krb5[7148]: token strategy: v4,524,2b,rxk5
    sshd[7148]: pam_krb5[7148]: pam_authenticate called for 'user', realm 'DOMAIN'
    sshd[7148]: nss_ldap: could not search LDAP server - Server is unavailable
    sshd[7148]: pam_krb5[7148]: error resolving user name 'user' to uid/gid pair
    sshd[7148]: pam_krb5[7148]: error getting information about 'user'
    sshd[7148]: nss_ldap: could not search LDAP server - Server is unavailable
    "
    How is it possible to configure local Linux machine with authorization on Windows AD server having only such account on a server?

    Thanks in advance.
    Last edited by CAEman; April 9th, 2010 at 08:20 AM.

  8. #198
    Join Date
    Feb 2010
    Beans
    4

    Re: HOWTO: Active Directory Authentication

    May be somebody knows how it possible to do by script?

  9. #199
    Join Date
    Jun 2007
    Location
    Seattle, Washington USA
    Beans
    1
    Distro
    Ubuntu

    Re: HOWTO: Active Directory Authentication

    The following steps were tested on Ubuntu 9.10.

    The easiest way to do this is to install Likewise-Open and Likewise-Open-GUI from the repository:

    sudo apt-get install likewise-open likewise-open-gui

    After installation is complete, go to System>>Administration>>Active Directory membership to join the Ubuntu computer to the AD domain. You'll have to restart, then you can log on using your AD user account and credentials. The user account is in the form domain\username, for example, soundtraining\doncrawley.

    Here's a link to a YouTube video demonstrating how to do it, except that he downloads the packages from their site. You can just use apt-get or aptitude to install it directly from the Ubuntu repository.

  10. #200
    Join Date
    Feb 2010
    Beans
    4

    Re: HOWTO: Active Directory Authentication

    Thanks.
    But how is it possible "to join the Ubuntu computer to the AD domain" having only such account on a server?

Page 20 of 21 FirstFirst ... 1018192021 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •