HOWTO: Active Directory Authentication

[kfsone]

Just installed a fresh 9.10 server, did the following:

$ sudo apt-get -y install likewise-open5
...
$ sudo vi /etc/nsswitch.conf
[ put dns ahead of m4 ]
$ sudo domainjoin-cli join CRS.local $USER $PASS
[ joined ]
$ sudo reboot
[ reboot, relogin ]
$ ls /etc/samba
ls: cannot access /etc/samba: No such file or directory

I can login as username@CRS, but I want to make CRS the default domain.

So I tried enabling "assume-default-domain" in /etc/likewise-open/lsassd.conf ... restarted likewise-open5. Didn't work.

I tried

$ sudo apt-get -y install samba

Rebooted, still no /etc/samba/lwiauthd.conf,
still no default domain.

[CAEman]

Try to add in /etc/ldap.conf:
host [ldap server IP address]
base dc=[domain]

And appropriate configuration of pam.

[guimenez]

Please, i need help

i've successfully join ubuntu 10.04 to 2008 active directory.
now i need every time a user login, it will map a is shared folder from server

i've 2 groups: basic and medium

if i login with a user that as basic group it will mount is shared folder from server.

my server as this folder structure:

2008server
|
|----- basic
| |
| |- basic_user (shared)
|
|----- medium
|
|- medium_user (shared)

i've try smb://2008server/'%g'/'%u'

but nothing

hope someone help me on this

thanks

[kinitsu]

What do you guys have on

root@proxy:~# net ads join -U domain admin
Enter domain admin's password:
Using short domain name -- domain
Joined 'mycomputer' to realm 'mydomain.local'
DNS update failed!

when I check the AD to see if "mycomputer" account was created, it wasn't.

[upallnight]

Likewise Open is the easiest complete solution for Linux workstations to authenticate to an Active Directory domain. I wish I had found it sooner.
The likewise-open package in the Ubuntu repo works fine, but I found the install script from:
http://www.likewise.com/products/likewise_open/
has some new features.

Its really as simple as typing the AD domain then logging in with an account that has permission to manage the Domain. Then test it by logging in with an AD account on your local machine:

Code:

ssh example\\steve@localhost

For Ubuntu help on Likewise Open see
https://help.ubuntu.com/8.04/serverg...wise-open.html
or
https://help.ubuntu.com/community/LikewiseOpen

[C Morris]

I followed the instructions down to step 6, then I realized DNS was misconfigured so it wasn't working. Unfortunately, I got called away and due to the idle time my ssh session was lost. So now I can't log in. Is this installation totally hosed now?

[snake2903]

This is great tutorial but i have questions.

In my company we have 3 server for our domain, example:

Our domain name: INT.COMPANY.COM

3 servers that give as above domain name:

dc-1.int.company.com this is main server
dc-2.int.company.com
dc-3.int.company.com

Is this good configuration of krb5.conf file for my situation:

Code:

[logging] 
default = FILE10000:/var/log/krb5lib.log     

[libdefaults]          
ticket_lifetime = 24000          
default_realm = INT.COMPANY.COM 
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc 
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms] 
INT.COMPANY.COM = 
{ 
   kdc = dc-1.int.company.com
   kdc = dc-2.int.company.com 
   kdc = dc-3.int.company.com
   admin_server = dc-1.int.company.com
   master_kdc = dc-1.int.company.com     
   default_domain = INT.COMPANY.COM          
}

 [domain_realm]
 .domain.local = INT.COMPANY.COM         
  domain.local = INT.COMPANY.COM

The part that is confusing me is:
Is it good that i defined my main domain server as master_kdc?
Do i need define admin_server for secondary domain servers (dc-2 and dc-3 ) so it looks like this?

Code:

admin_server = dc1.int.company.com
admin_server = dc2.int.company.com
admin_server = dc3.int.company.com

Will this configuration automatically switch me to secondary kdc if kdc1 crash?

And this is my smb.conf file how i think it should be configured

Code:

[global]
workgroup = INT
realm = INT.COMPANY.COM
#netbios name = computer_name
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
usershare allow guests = yes

Do i need in smb.conf file add this lines because we have multiple servers for same domain and one is master server?

password server = dc1.int.company.com
domain master = dc1.int.company.com?

I hope you understand me

[guido24]

For the memory on the internet:

net ads join -U Administrator@...

was also extremely slow on my Linux box. Using:

net ads join -U Administrator@... -d 10

I was able to conclude that deleting an entry in the kerberos memory (krb5.keytab) did not progress obviously. I deleted the krb5.keytab, did another kinit, problem solved.

Please note that other essential information may be present in your krb5.keytab, so be carefull.

[ikki_72]

for a AD with hostname ad00.comp.local

where would i need to reconfigure?

Code:

user1@ubuntu:~$ cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = COMP.LOCAL
realm = COMP.LOCAL
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
browseable = no
printable = yes
guest ok = yes

Code:

user1@ubuntu:~$ sudo net ads join -U Administrator@COMP.LOCAL -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = COMP.LOCAL
doing parameter realm = COMP.LOCAL
doing parameter preferred master = no
doing parameter server string = Samba file and print server
doing parameter security = ADS
doing parameter encrypt passwords = yes
doing parameter log level = 3
doing parameter log file = /var/log/samba/%m
doing parameter max log size = 50
doing parameter winbind separator = +
doing parameter printcap name = cups
doing parameter printing = cups
doing parameter idmap uid = 10000-20000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 10000-20000
WARNING: The "idmap gid" option is deprecated
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_MEMBER
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Netbios name list:-
my_netbios_names[0]="UBUNTU"
added interface eth0 ip=fe80::250:56ff:feb1:34f4%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.0.0.210 bcast=10.0.0.255 netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Administrator@COMP.LOCAL's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'UBUNTU'
            domain_name              : *
                domain_name              : 'COMP.LOCAL'
            account_ou               : NULL
            admin_account            : 'Administrator@COMP.LOCAL'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
dsgetdcname: domain_name: COMP.LOCAL, domain_guid: (null), site_name: (null), flags: 0x40001011
debug_dsdcinfo_flags: 0x40001011
	DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME 
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for COMP.LOCAL: "Default-First-Site-Name"
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed AD00.COMP.LOCAL [0, 100, 389]
LDAP ping to AD00.COMP.LOCAL
interpret_string_addr_internal: getaddrinfo failed for name AD00.COMP.LOCAL [Name or service not known]
Failed to resolve[AD00.COMP.LOCAL] into an address for cldap
internal_resolve_name: looking up COMP.LOCAL#1c (sitename (null))
no entry for COMP.LOCAL#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name COMP.LOCAL<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name COMP.LOCAL<0x1c>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: Attempting wins lookup for name COMP.LOCAL<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers listed.
name_resolve_bcast: Attempting broadcast lookup for name COMP.LOCAL<0x1c>
bind succeeded on port 0
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 1
	SO_BROADCAST = 1
	Could not test socket option TCP_NODELAY.
	Could not test socket option TCP_KEEPCNT.
	Could not test socket option TCP_KEEPIDLE.
	Could not test socket option TCP_KEEPINTVL.
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_SNDBUF = 229376
	SO_RCVBUF = 229376
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	Could not test socket option TCP_QUICKACK.
Running timed event "tevent_req_timedout" 0x7f7c2b915a50
discover_dc_netbios: failed to find DC
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to find DC for domain COMP.LOCAL'
            domain_is_ad             : 0x00 (0)
            result                   : WERR_DCNOTFOUND
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'UBUNTU'
            domain_name              : *
                domain_name              : 'COMP.LOCAL'
            account_ou               : NULL
            admin_account            : 'Administrator@COMP.LOCAL'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
dsgetdcname: domain_name: COMP.LOCAL, domain_guid: (null), site_name: (null), flags: 0x40001011
debug_dsdcinfo_flags: 0x40001011
	DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME 
sitename_fetch: Returning sitename for COMP.LOCAL: "Default-First-Site-Name"
dsgetdcname_rediscover
ads_dns_lookup_srv: 1 records returned in the answer section.
ads_dns_parse_rr_srv: Parsed AD00.COMP.LOCAL [0, 100, 389]
LDAP ping to AD00.COMP.LOCAL
interpret_string_addr_internal: getaddrinfo failed for name AD00.COMP.LOCAL [Name or service not known]
Failed to resolve[AD00.COMP.LOCAL] into an address for cldap
internal_resolve_name: looking up COMP.LOCAL#1c (sitename (null))
no entry for COMP.LOCAL#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name COMP.LOCAL<0x1c>
resolve_lmhosts: Attempting lmhosts lookup for name COMP.LOCAL<0x1c>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
resolve_wins: Attempting wins lookup for name COMP.LOCAL<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers listed.
name_resolve_bcast: Attempting broadcast lookup for name COMP.LOCAL<0x1c>
bind succeeded on port 0
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 1
	SO_BROADCAST = 1
	Could not test socket option TCP_NODELAY.
	Could not test socket option TCP_KEEPCNT.
	Could not test socket option TCP_KEEPIDLE.
	Could not test socket option TCP_KEEPINTVL.
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_SNDBUF = 229376
	SO_RCVBUF = 229376
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	Could not test socket option TCP_QUICKACK.
Running timed event "tevent_req_timedout" 0x7f7c2b916330
discover_dc_netbios: failed to find DC
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : NULL
            dns_domain_name          : NULL
            forest_name              : NULL
            dn                       : NULL
            domain_sid               : NULL
                domain_sid               : (NULL SID)
            modified_config          : 0x00 (0)
            error_string             : 'failed to find DC for domain COMP.LOCAL'
            domain_is_ad             : 0x00 (0)
            result                   : WERR_DCNOTFOUND
lang_tdb_init: /usr/share/samba/en_US:en.msg: No such file or directory
Failed to join domain: failed to find DC for domain COMP.LOCAL
return code = -1

weirdly, I can ping via hostname only but not fqdn

Code:

user1@ubuntu:~$ ping AD00
PING AD00.COMP.LOCAL (10.0.0.229) 56(84) bytes of data.
64 bytes from 10.0.0.229: icmp_req=1 ttl=128 time=0.281 ms
64 bytes from 10.0.0.229: icmp_req=2 ttl=128 time=0.343 ms
^C64 bytes from 10.0.0.229: icmp_req=3 ttl=128 time=0.340 ms

--- AD00.COMP.LOCAL ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 10009ms
rtt min/avg/max/mdev = 0.281/0.321/0.343/0.032 ms
user1@ubuntu:~$ ping AD00.COMP.LOCAL
ping: unknown host AD00.COMP.LOCAL