I'm also having exactly the same issue as DouglasK. I've followed this doc exactly:
https://help.ubuntu.com/community/Ac...ryWinbindHowto
Anybody have any suggestions or solutions here?
I'm also having exactly the same issue as DouglasK. I've followed this doc exactly:
https://help.ubuntu.com/community/Ac...ryWinbindHowto
Anybody have any suggestions or solutions here?
Here's how I resolved the problem on my computer:
1. Add the IP of the Windows DNS server to /etc/resolv.conf (you may wish to edit the network settings normally. I tend to 'hack')
2. Use "net ads join -U {username}" ... whenever I specified the computer or domain after the username, it said it could not look up the DC.
HTH
You can solve this in guru manner rather than groups, since your result should be one write and one read group.
Make 2 new user domains name them for example
domain user: readonly
domain user: readwrite
on shared resources add them to advanced secuirity and on readonly user deny write delete and create directory, and readwrite give full control.
Use this users only for mounting shares from windows resources on ubuntu box, and let them log in authenticate with their own user ex: bobby, pass bobby.
=----- God is a Machine -----=
....... powered by Linux .......
And... I've run into this problem another way. The error is caused when the "net ads join" command is unable to look up a DNS/WINS entry for _ldap._tcp.dc._msdcs.YOUR.DOMAIN (try running the command with "-d 3", you'll see what I'm talking about).
The first time I apparently set up the Windows DNS server correctly so the problem was in talking to the server. The second time I didn't, and the Windows server was confused. Make sure that on the DNS server you have "Forward Lookup Zones" -> "_msdcs.YOUR.DOMAIN" -> "dc" -> "_tcp". If not, try the instructions located here:
http://support.microsoft.com/kb/817470
Hi, the How to is really good, but I am not succeeding at logging the Active Directory. Its everything allright up to the time I do the "net ads join -U administrador". After I enter the pass the terminal gives me this:
root@sistemasubuntu:/home/leo# net ads join -U administrador
Enter administrador's password:
Failed to join domain: failed to lookup DC info for domain 'CANUDASSUC1.COM.AR' over rpc: The network name cannot be found
I've tried everything, with the domain, with the realm, everything.
But if I enter "rpc" instead of "ads" then I receive "Joined domain CANUDASSUC1." (Which is ok). But it has no positive reaccions, I cannot enter the net.
The domain controller is a W2K one.
Here's my smb.conf:
[global]
workgroup = CANUDASSUC1
realm = CANUDASSUC1.COM.AR
server string = Samba file and print server
bind interfaces only = Yes
security = ADS
update encrypted = Yes
client schannel = No
server schannel = No
null passwords = Yes
obey pam restrictions = Yes
password server = cabas101.canudassuc1.com.ar
guest account = smbguest
passwd program = /usr/bin/passwd '%u'
passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd*changed*\n
passwd chat timeout = 120
password level = 6
username level = 6
unix password sync = Yes
log file = /var/log/samba/samba.log
max log size = 1000
smb ports = 135 445 139
name resolve order = wins lmhosts bcast
client signing = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
machine password timeout = 120
add user script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null '%u'
delete user script = /usr/sbin/userdel '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u'
delete user from group script = /usr/sbin/userdel '%u' '%g'
add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u'
logon script = %G.bat
logon path = \\%L\profiles\%u
logon drive = m:
logon home = \\%L\homes\%u
os level = 33
local master = No
domain master = No
dns proxy = No
wins server = 192.168.2.1
ldap ssl = no
remote announce = 192.168.2.1
remote browse sync = 192.168.2.1
idmap uid = 500-10000000
idmap gid = 500-10000000
template shell = /bin/bash
winbind separator = +
winbind cache time = 360
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = No
winbind nss info = no
guest ok = Yes
hosts allow = 127., 192.168.2.
cups options = raw
follow symlinks = No
[homes]
comment = Home Directories
path = /home
read only = No
locking = No
share modes = No
[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = No
locking = No
share modes = No
PLEASE HELP ME!!
OK, after some struggling, I found a maybe helpful thing to check if it isn't working right away:
I did aand always got a message likeCode:net ads testjoinApparently, the administrator password cannot be empty!Code:[2009/08/26 13:47:10, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password SEWER$@MAIN.LOCAL failed: Client not found in Kerberos database [2009/08/26 13:47:10, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password SEWER$@MAIN.LOCAL failed: Client not found in Kerberos database Join to domain is not valid: Improperly formed account name
I created a new domadm account with a password (in this test server, a lot of services depend on the 'administrator' user and its (empty) password, so I didn't want to break stuff by just putting a password there.
When using the domadm user for joining etc, it all works.
wbinfo -n on an AD user gives me the info from the windows server.
Just for your convenience: if it gives you an error like the above, check if your administrative user does have a password set...
@ Leoembon:
check if your /etc/hosts file contains an entry to resolve the AD servers' name to its IP...
Do a ping on the name you set in /etc/krb5.conf file's admin_server entry to check if it resolves correctly.
I had a similar issue before, and that did the trick for me.
Hi
http://www.likewise.com/
Just a nice tool also
"We are the middle children of history, man. No purpose or place. We have no great war, no great depression. Our great war is a spiritual war."
Great tutorial! After following the initial tutorial and configuring NTP, my machine is able to authenticate against AD.
I do have one issue still. Authentication works great for any user unless they are required to change their password. I've been testing using SSH, and get the following output:
Any ideas? Once this is working, I'll be completely set. Thanks!Code:WARNING: Your password has expired. You must change your password now and login again! passwd: Authentication token manipulation error passwd: password unchanged Connection to _computer-name_ closed.
Hi. may be not the right place to post, but... I want to integrate test machine with ubuntu installed to authenticate with ADS..find some guide here http://www.ubuntugeek.com/how-to-int...in-ubuntu.html but obviously smth there was wrong and now i can't logon on even with local accounts.. i think
problem is in pam modules
Modify the PAM settings
- /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
- /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
- Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
- Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc
Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir -p /home/DOMAIN
Any help is appreciated...Thank you!
Bookmarks