LinuxQuestions.org - Xsession: LOGIN FOR ROOM9\ROOM9 IS DISABLED

Assign a Unique Computer Name

Unlike other Linux versions, SuSE does not specifically offer an option to assign a unique computer name. Here are the steps to follow during or after installation to assign a computer name (a requirement for winbind to work properly):

Launch YaST2.
In the Network Devices area, launch Network Card. Your NIC should be listed in the Already Configured Devices section.
Click Change. This shows a list of the configured network adapters.
Highlight the adapter and click Change. This opens a Network Address Setup window.
Click Host Name and Name Server. If prompted to change the content of the resolv.conf file, click Modify to make the changes.
In the Host Name and Name Server window, enter the new host name. For example, I called my machine suse1.
Under Domain Name, enter the DNS domain name for the Active Directory domain. For example, I entered company.com.
Uncheck the Change Host Name Via DHCP option.
Leave the rest of the window settings at their default. They display the content of the DHCP configuration packet.
Click OK then Next then Finish to save and apply the changes.
Open a console window and verify that the new machine name appears in the bash prompt. For example, here's the prompt for a local administrator account called admin when in the user's home directory:

admin@suse1:~>

Disable the Name Service Caching Daemon (nscd)

Winbind will not work properly if nscd is running. You'll need to stop and disable the service before installing and configuring winbind.

Open a terminal console as su. (SuSE has a Terminal Program - Super User Mode in the launch menu under System | Terminal.)

Stop the nscd daemon manually with the following command:

# /etc/init.d/nscd stop
Shutting down Name Service Cache Daemon done

Use the chkconfig utility to change the autostart status of nscd to "off":

# chkconfig -s nscd off

Disable Autologin

Like many other Linux versions, SuSE has an option to automatically login a selected user. You won't want this option enabled if you want to use Active Directory credentials.

Launch YaST, highlight the Security and Users area, and click Edit and Create Users.
In the User and Group Administration window, click Expert Options and select Login Settings from the dropdown menu.
Uncheck Auto Login and click Finish to save the change.
Leave YaST open. You'll need it for the next couple of steps.

Install Kerberos

In YaST, go to the Network Services area and proceed as follows:

Click Kerberos Client. You'll be prompted to install the pam_krb5 and heimdal-lib packages. Click Continue to install the packages. The package manager closes automatically when the packages have been installed.
The Kerberos Client Authentication window opens.
Select the Use Kerberos radio button.
In Default Domain, enter the flat name of the Active Directory domain, for example, COMPANY. You can use lower case, but the convention is to put flat Windows names in upper case.
In the Default Realm field, enter the FQDN of the domain; for example, company.com.
In the KDC Server Address field, enter the fqdn of a domain controller; for example, w2k3-dc1.company.com.
Click Finish. When prompted to install the heimdal-tools package, click Cancel. Active Directory uses MIT Kerberos, not Heimdal Kerberos.
NOTE: If the Kerberos Client icon does not appear, you'll need to install YaST support for Kerberos and the Kerberos packages using the Add Sofware applet in YaST.

Leave YaST open.

Install winbind

In YaST, go to the Network Services area. Install the winbind package as follows:

Click Samba Client. A prompt appears to install samba-winbind. Click Continue to install the package. The package manager closes automatically once the package has been installed.
The Samba Workgroup configuration window opens.
Browse for the domain you want to join.
Click the Also Use SMB Information for Linux Authentication
Click Finish.
This will configure Samba with the proper settings for winbind and join the SuSE desktop to the domain.

If you get an error saying that the workgroup you selected cannot be used for Linux authentication, uncheck Also Use SMB Information for Linux Authentication and click Finish. SuSE makes some undetermined check against a domain controller for which I can't find any documentation.

If SuSE was unwilling to configure winbind automatically, you'll need to do some work manually before you can start winbind. Even if the automatic configuration works and winbind starts, you'll need to modify the pam configuration files to get a successful desktop login.

Before moving foward with the manual work, configure winbind to start automatically when you boot the machine as follows:

# chkconfig -s winbind on

You can do this even if winbind refuses to start. You can try manually starting it as follows:

# /etc/init.d/winbind start

If you get a failure, then you'll need to fix smb.conf. I've included an example at the end of this page.

Test Your Configuration

Test your Kerberos configuration by joining the Linux computer to the Active Directory domain using a utility that comes with Samba 3.x: the net utility. Use this syntax:

net ads join -U administrator

If your Kerberos settings are correct, when you give the password for the administrator, you'll be joined to the Active Directory domain. You can check the Computers container in Active Directory Users and Computers to make sure this worked.

If you get an error that the Kerberos KDC could not be found, make sure you entered the configuration information correctly, with no typos. These settings are stored in /etc/krb5.conf.

You can also test your Kerberos connection in other ways. For example, to see if you can get a Kerberos ticket for a particular user in Active Directory, use the net ads command to enumerate a user list with that user's credentials, as follows (the lines following the password are the response to the query):

# net ads user -U winuser1
winuser1's password:
Administrator
Guest
krbtgt
winuser1
winuser2
winuser3

You can also get a list of users from Active Directory along with the local Linux passwd database file with the getent command, as follows:

# getent passwd

You should get a list of local users and groups followed by a list of users and groups and computers from the domain.

Modify Configuration Files

You'll need to make manual changes to the following configuration files before you can do an authenticated login at the SuSE login window against Active Directory:

/etc/nsswitch.conf
/etc/pam.d/xdm
/etc/security/pam_unix2.conf
The entries for nsswitch.conf and xdm are similar to those used by other Linux vendors. As far as I know, only SuSE uses the pam_unix2.conf file to enable winbind for local logins.

The configuration file examples in this document come from a working SuSE Professional 9.1 desktop. Note that SuSE does not use a system-auth file. I'm not sure why it isn't required on SuSE or why it *is* required on other Linux flavors.

WARNING: Before modifying any configuration file, be sure to make a copy. This is especially important when modifying pam files because you can lock yourself out of a system.

Once you've made these changes, start winbind:

# /etc/init.d/winbind start

If you get a failure, make sure that you remembered to stop nscd and try again. The simplest way to check for the presence of a running service is to list them using ps -A then grep for the service in which you're interested, as follows:

# ps -A | grep nscd

If nscd is not running, you'll get no listing.

Troubleshooting

If you continue to get a failure of winbind or with the login window, try updating to the most current version that SuSE has available for the files. Do this with the YaST Online Update (YOU) utility as follows:

Launch YaST.
In the Software area, click Online Update. This launches YaST Online Update (YOU).
In the main YOU window, make sure you're pointed at a local mirror then click Next.
When I ran the update, I got security updates for several samba packages plus the latest Linux kernel and some bugfixes. Click Accept to download all required and selected updates. Leave the unchecked (optional) updates for another time.
If you get a new kernel update as part of running YOU, reboot the system. Following restart, launch YaST again.
In the Network Services area, click Samba Client. This launches the Samba Workgroup manager.
In the Membership field, change the Domain or Workgroup entry from TUX-NET to the flat name for your Active Directory domain. In the example, that would be COMPANY. By clicking Browse to select the name, you also verify that the Linux client can see the network and find a subnet master browser.
Check the Also Use SMB Information for Linux Authentication option.
Click Finish.
Now restart the machine to refresh all your settings. Yes, yes, I know you don't need to restart Linux machines, but it's simpler than manually restarting all the services.

See if winbind starts. If it does, log off. The main login screen should now list all the users from the local passwd file and from Active Directory. Select an Active Directory user and enter the password. You should get a standard new desktop.

If you get an error that KDE can't create a desktop, then you neglected to put the pam_mkhomedir.so entry in xdm.

krb5.conf

This file configures Kerberos to use an Active Directory domain controller as a KDC.

It's full path is /etc/krb5.conf.

You should not need to manually configure this file. The YaST Kerberos configuration applet makes all required entries.

[libdefaults]
# default_realm = MY.REALM
clockskew = 300

[realms]
COMPANY.COM = {
kdc = w2k3-dc1.company.com
}
# MY.REALM = {
# kdc = MY.COMPUTER
# admin_server = MY.COMPUTER
# kpasswd_server = MY.COMPUTER
# }
# OTHER.REALM = {
# kdc = OTHER.COMPUTER
# }

[domain_realm]
.company.com = COMPANY.COM
# .my.domain = MY.REALM

[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}

---end krb5.conf--------------------------------------------

nsswitch.conf

This file configures the system to use the correct settings in various authentication situations.

The actual path is /etc/nsswitch.conf.

You'll need to modify the passwd and group entries to add winbind as an option.

# passwd: files nis
# shadow: files nis
# group: files nis

passwd: files winbind
group: files winbind

hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
Disable Name Service Caching Daemon (nscd)

---end nsswitch.conf-----------------------

smb.conf

This file configures Samba and winbind.

The actual path is /etc/samba/smb.conf.

You'll need to add several lines to this file if YaST was not able to verify the target domain.

[global]
wins server = 10.0.0.254
workgroup = COMPANY
security = ads
realm = COMPANY.COM
idmap uid = 10000-20000
idmap gid = 10000-20000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 18
template shell = /bin/bash
template homedir = /home/%U
case sensitive = no
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
printer admin = @ntadmin, root, administrator
map to guest = Bad User
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
password server = *

---end smb.conf--------------------------------

NOTE: Your current smb.conf file might have this line:

winbind separator = +

You can leave that line in place for SuSE, but remove it for NLD so you can login using domain\username format. In an XDM login window, all Active Directory accounts are listed and the user clicks a name and icon, so the separator helps to differentiate the names.

pam_unix2.conf

This file tells PAM to use winbind when doing a standard Unix-style login.

The actual path is /etc/security/pam_unix2.conf.

You'll need to modify the auth and account lines to show call_modules=winbind. If you neglect to make this change, you won't be able to login using Active Directory credentials.

auth: call_modules=winbind
account: call_modules=winbind
password:
session: none

---end pam_unix2.conf-----------------------------

xdm

This file tells the system which authentication mechanism to use for a Gnome login window.

The actual path is /etc/pam.d/xdm.

You'll need to add a line to create home directories automatically.

#%PAM-1.0
auth required pam_unix2.so nullok

account required pam_unix2.so

password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok

session required pam_unix2.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077