Quote:
Originally Posted by derelict
Are you using home.brr or HOME.BRR. Caps is required.
Printable View
Quote:
Originally Posted by derelict
Are you using home.brr or HOME.BRR. Caps is required.
Yes, all references of "home.brr" on the krb5.conf file were on capital letters as shown by the HOWTO, I keep getting that error :confused:
I can ldapsearch the AD server and obtain user info without any problem.
There were two things not mentioned in this how to that could possibly cause isssues for some people. Derelict, can you check the below out.
1) /etc/hosts isn't edited. The default ubuntu installation would give you
That should be modified to include the domain that you are joining. It should look more like thisCode:127.0.0.1 localhost.localdomain localhost ubuntu
Example using domain from the how to with pc name of "test"Code:127.0.0.1 FQDN localhost pc name
suggest a reboot after that to ensure no naming conflicts anywhere.Code:127.0.0.1 test.domain.internal localhost test
2)syncing time with the domains NTP server
the /etc/default/ntpdate file should be edited to reflect the FQDN of your ntp server (usually your domain controller)
Again using the domain from the how-to, modify as needed.
Then restart the serviceCode:# servers to check
NTPSERVERS="domainserver.domain.internal"
# additional options for ntpdate
NTPOPTIONS="-u"
Kerberos won't give you a ticket if the times are too far apart between the DC and the PCCode:sudo /etc/init.d/ntpdate restart
OK, it looks like it's making progress :)
I changed the hosts file to
"127.0.0.1 ubuntu.home.brr localhost ubuntu"
and I'm now getting
"kinit(v5): KDC has no support for encryption type while getting initial credentials"
Here's the [libdefault] section of my krb5.conf, up to the [realms] section:
I'm running AD on a 2003 Server, should I change the enctypes? The time difference between hosts was already below 30 seconds, it had occured to me before that Kerberos needed some time sync.Code:ticket_lifetime = 24000
default_realm = HOME.BRR
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
I solved it by resetting the Administrator password :) It looks like I now have a Kerberos ticket already, I'll post back the whole result (hopefully successful!)Quote:
Originally Posted by derelict
Thanks steve :)
OK, I successfuly added the computer to the realm, thanks for all the help so far! However, I was aiming at being able to login with an AD user via the graphical startup prompt; do I have to edit /etc/pam.d/gdm?
Thanks in advance! :)
Following this how to should allow you to log in with an AD account. There are three main ways to login, based on editing the smb.conf.
As it is set now, you should be able to login with just username password. The line
will have winbind assume all logins are from the default domain.Code:winbind use default domain = yes
If you set that to no, or comment it out, you would need to prepend the username with the domain. The winbind seperator determines which character goes between the domain and username.
If you copied this smb.conf, it would be:Code:winbind separator = +
DOMAIN+username (ensure caps in domain)
The default (read, commenting out that line with a #) is backslash, so it would be:
DOMAIN\username (caps again).
BTW you're welcome, love to help when I can.
Once again you got it :)
It's logging in perfectly, I'm now working on changing the AD password via Linux (smbpassword, correct?) and getting it to create the user directory (/home/domain/user) with 700 permissions. Thanks! :)
Just to add I used SADMS to successfully do all the legwork on the .conf files and it works fairly well. You have to read the documentation very carefully and follow everything to the letter, but you will end up with a Ubuntu box that can log in to the domain just like any XP machine.
It will also configure the previously unmentioned pammount file to allow each user to automatically link to shares on the Windows server. This works best if your user files are all in one directory and are all named after the login name.
Edited to add:
After updating the Linux kernel image, the AD logins refused to work. Running the SADMS configuration did the trick, but it was a scary moment.
Your SADMS settings file should read like the following:
Code:# My Settings
realm=MY.FQDN.IN.CAPS
dns=your.dns.server.with.FQDN
kdc=yourkerberosservername (must be DNS resolvable)
domain=DOMAINNAMEINCAPS (just the root name, eg for google.com you would just enter GOOGLE)
server=localhost NETBIOS name, default is ubuntu or linux
hostOu=Computers (or whichever AD unit you want the system to be listed)
administrator=administrator
administratorPassword=yourpassword (no need to save this in plain text, you can enter it within SADMS!)
users=domain users (or whatever you prefer the default users to be)
hostsAllow=10.
winsServer=IP.address.of.yourWINSserver
Thanks for this great howto, exactly what I needed!
Arie