Xsession: LOGIN FOR ROOM9\ROOM9 IS DISABLED
:Pengy: :confused: I use Suse9.1, when I join Room9 domain success (= Samba Client) After I logout "root" and login with "Room9\Room9" is "Xsession: Login for Room9\Room9 is disable"
Can anyone help me?:rolleyes: |
same problem Suse 9.2 on W3K Domain
Hello, I hope someone replies as I have the same problem with using a user account setup on Small Business Server 2003. Samba, Kerberos network services on Suse 9.2 workstation.
Thank you, Roger |
The same problem
Did you solve the problem. Please share your experience with this question.
Thanks in advance. |
Assign a Unique Computer Name
Unlike other Linux versions, SuSE does not specifically offer an option to assign a unique computer name. Here are the steps to follow during or after installation to assign a computer name (a requirement for winbind to work properly): Launch YaST2. In the Network Devices area, launch Network Card. Your NIC should be listed in the Already Configured Devices section. Click Change. This shows a list of the configured network adapters. Highlight the adapter and click Change. This opens a Network Address Setup window. Click Host Name and Name Server. If prompted to change the content of the resolv.conf file, click Modify to make the changes. In the Host Name and Name Server window, enter the new host name. For example, I called my machine suse1. Under Domain Name, enter the DNS domain name for the Active Directory domain. For example, I entered company.com. Uncheck the Change Host Name Via DHCP option. Leave the rest of the window settings at their default. They display the content of the DHCP configuration packet. Click OK then Next then Finish to save and apply the changes. Open a console window and verify that the new machine name appears in the bash prompt. For example, here's the prompt for a local administrator account called admin when in the user's home directory: admin@suse1:~> Disable the Name Service Caching Daemon (nscd) Winbind will not work properly if nscd is running. You'll need to stop and disable the service before installing and configuring winbind. Open a terminal console as su. (SuSE has a Terminal Program - Super User Mode in the launch menu under System | Terminal.) Stop the nscd daemon manually with the following command: # /etc/init.d/nscd stop Shutting down Name Service Cache Daemon done Use the chkconfig utility to change the autostart status of nscd to "off": # chkconfig -s nscd off Disable Autologin Like many other Linux versions, SuSE has an option to automatically login a selected user. You won't want this option enabled if you want to use Active Directory credentials. Launch YaST, highlight the Security and Users area, and click Edit and Create Users. In the User and Group Administration window, click Expert Options and select Login Settings from the dropdown menu. Uncheck Auto Login and click Finish to save the change. Leave YaST open. You'll need it for the next couple of steps. Install Kerberos In YaST, go to the Network Services area and proceed as follows: Click Kerberos Client. You'll be prompted to install the pam_krb5 and heimdal-lib packages. Click Continue to install the packages. The package manager closes automatically when the packages have been installed. The Kerberos Client Authentication window opens. Select the Use Kerberos radio button. In Default Domain, enter the flat name of the Active Directory domain, for example, COMPANY. You can use lower case, but the convention is to put flat Windows names in upper case. In the Default Realm field, enter the FQDN of the domain; for example, company.com. In the KDC Server Address field, enter the fqdn of a domain controller; for example, w2k3-dc1.company.com. Click Finish. When prompted to install the heimdal-tools package, click Cancel. Active Directory uses MIT Kerberos, not Heimdal Kerberos. NOTE: If the Kerberos Client icon does not appear, you'll need to install YaST support for Kerberos and the Kerberos packages using the Add Sofware applet in YaST. Leave YaST open. Install winbind In YaST, go to the Network Services area. Install the winbind package as follows: Click Samba Client. A prompt appears to install samba-winbind. Click Continue to install the package. The package manager closes automatically once the package has been installed. The Samba Workgroup configuration window opens. Browse for the domain you want to join. Click the Also Use SMB Information for Linux Authentication Click Finish. This will configure Samba with the proper settings for winbind and join the SuSE desktop to the domain. If you get an error saying that the workgroup you selected cannot be used for Linux authentication, uncheck Also Use SMB Information for Linux Authentication and click Finish. SuSE makes some undetermined check against a domain controller for which I can't find any documentation. If SuSE was unwilling to configure winbind automatically, you'll need to do some work manually before you can start winbind. Even if the automatic configuration works and winbind starts, you'll need to modify the pam configuration files to get a successful desktop login. Before moving foward with the manual work, configure winbind to start automatically when you boot the machine as follows: # chkconfig -s winbind on You can do this even if winbind refuses to start. You can try manually starting it as follows: # /etc/init.d/winbind start If you get a failure, then you'll need to fix smb.conf. I've included an example at the end of this page. Test Your Configuration Test your Kerberos configuration by joining the Linux computer to the Active Directory domain using a utility that comes with Samba 3.x: the net utility. Use this syntax: net ads join -U administrator If your Kerberos settings are correct, when you give the password for the administrator, you'll be joined to the Active Directory domain. You can check the Computers container in Active Directory Users and Computers to make sure this worked. If you get an error that the Kerberos KDC could not be found, make sure you entered the configuration information correctly, with no typos. These settings are stored in /etc/krb5.conf. You can also test your Kerberos connection in other ways. For example, to see if you can get a Kerberos ticket for a particular user in Active Directory, use the net ads command to enumerate a user list with that user's credentials, as follows (the lines following the password are the response to the query): # net ads user -U winuser1 winuser1's password: Administrator Guest krbtgt winuser1 winuser2 winuser3 You can also get a list of users from Active Directory along with the local Linux passwd database file with the getent command, as follows: # getent passwd You should get a list of local users and groups followed by a list of users and groups and computers from the domain. Modify Configuration Files You'll need to make manual changes to the following configuration files before you can do an authenticated login at the SuSE login window against Active Directory: /etc/nsswitch.conf /etc/pam.d/xdm /etc/security/pam_unix2.conf The entries for nsswitch.conf and xdm are similar to those used by other Linux vendors. As far as I know, only SuSE uses the pam_unix2.conf file to enable winbind for local logins. The configuration file examples in this document come from a working SuSE Professional 9.1 desktop. Note that SuSE does not use a system-auth file. I'm not sure why it isn't required on SuSE or why it *is* required on other Linux flavors. WARNING: Before modifying any configuration file, be sure to make a copy. This is especially important when modifying pam files because you can lock yourself out of a system. Once you've made these changes, start winbind: # /etc/init.d/winbind start If you get a failure, make sure that you remembered to stop nscd and try again. The simplest way to check for the presence of a running service is to list them using ps -A then grep for the service in which you're interested, as follows: # ps -A | grep nscd If nscd is not running, you'll get no listing. Troubleshooting If you continue to get a failure of winbind or with the login window, try updating to the most current version that SuSE has available for the files. Do this with the YaST Online Update (YOU) utility as follows: Launch YaST. In the Software area, click Online Update. This launches YaST Online Update (YOU). In the main YOU window, make sure you're pointed at a local mirror then click Next. When I ran the update, I got security updates for several samba packages plus the latest Linux kernel and some bugfixes. Click Accept to download all required and selected updates. Leave the unchecked (optional) updates for another time. If you get a new kernel update as part of running YOU, reboot the system. Following restart, launch YaST again. In the Network Services area, click Samba Client. This launches the Samba Workgroup manager. In the Membership field, change the Domain or Workgroup entry from TUX-NET to the flat name for your Active Directory domain. In the example, that would be COMPANY. By clicking Browse to select the name, you also verify that the Linux client can see the network and find a subnet master browser. Check the Also Use SMB Information for Linux Authentication option. Click Finish. Now restart the machine to refresh all your settings. Yes, yes, I know you don't need to restart Linux machines, but it's simpler than manually restarting all the services. See if winbind starts. If it does, log off. The main login screen should now list all the users from the local passwd file and from Active Directory. Select an Active Directory user and enter the password. You should get a standard new desktop. If you get an error that KDE can't create a desktop, then you neglected to put the pam_mkhomedir.so entry in xdm. krb5.conf This file configures Kerberos to use an Active Directory domain controller as a KDC. It's full path is /etc/krb5.conf. You should not need to manually configure this file. The YaST Kerberos configuration applet makes all required entries. [libdefaults] # default_realm = MY.REALM clockskew = 300 [realms] COMPANY.COM = { kdc = w2k3-dc1.company.com } # MY.REALM = { # kdc = MY.COMPUTER # admin_server = MY.COMPUTER # kpasswd_server = MY.COMPUTER # } # OTHER.REALM = { # kdc = OTHER.COMPUTER # } [domain_realm] .company.com = COMPANY.COM # .my.domain = MY.REALM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } ---end krb5.conf-------------------------------------------- nsswitch.conf This file configures the system to use the correct settings in various authentication situations. The actual path is /etc/nsswitch.conf. You'll need to modify the passwd and group entries to add winbind as an option. # passwd: files nis # shadow: files nis # group: files nis passwd: files winbind group: files winbind hosts: files dns networks: files dns services: files protocols: files rpc: files Disable Name Service Caching Daemon (nscd) ---end nsswitch.conf----------------------- smb.conf This file configures Samba and winbind. The actual path is /etc/samba/smb.conf. You'll need to add several lines to this file if YaST was not able to verify the target domain. [global] wins server = 10.0.0.254 workgroup = COMPANY security = ads realm = COMPANY.COM idmap uid = 10000-20000 idmap gid = 10000-20000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 18 template shell = /bin/bash template homedir = /home/%U case sensitive = no printing = cups printcap name = cups printcap cache time = 750 cups options = raw printer admin = @ntadmin, root, administrator map to guest = Bad User encrypt passwords = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = no password server = * ---end smb.conf-------------------------------- NOTE: Your current smb.conf file might have this line: winbind separator = + You can leave that line in place for SuSE, but remove it for NLD so you can login using domain\username format. In an XDM login window, all Active Directory accounts are listed and the user clicks a name and icon, so the separator helps to differentiate the names. pam_unix2.conf This file tells PAM to use winbind when doing a standard Unix-style login. The actual path is /etc/security/pam_unix2.conf. You'll need to modify the auth and account lines to show call_modules=winbind. If you neglect to make this change, you won't be able to login using Active Directory credentials. auth: call_modules=winbind account: call_modules=winbind password: session: none ---end pam_unix2.conf----------------------------- xdm This file tells the system which authentication mechanism to use for a Gnome login window. The actual path is /etc/pam.d/xdm. You'll need to add a line to create home directories automatically. #%PAM-1.0 auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 |
All times are GMT -5. The time now is 04:21 AM. |