Fedora - unable to login using Active Directory credentials

igp · 09-28-2016, 11:22 AM

Hi
I have setup a Fedora machine and have bound it to Active directory using Samba, Winbind & Kerberos. Computer object exists in AD.
running kinit username@domain.com prompts for password which is accepted. klist then shows I have a ticket.
What I need to be able to do is login to the machine using an active directory user. I am sure I have missed something as I have not added domain users / admins to any groups (not sure if i need to?).
I have gnome installed and when I enter the username it prompts for the password, looks like its been accepted and then returns to the user login screen.
Bit stumped at the moment so any help would be appreciated.
Thanks in advance!

Ginola · 09-30-2016, 05:09 AM

The program "realm" is your friend on this one.

Once you install realmd and configure your /etc/krb5.conf file, assuming you realm name is AD.JOSHUA.COM, run the following....

Code:

[root@wopr ~]realm discover AD.JOSHUA.COM
ad.joshua.com
  type: kerberos
  realm-name: AD.JOSHUA.COM
  domain-name: ad.joshua.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common

Make sure all the required package listed above are installed. Then join the domain...

Code:

[root@wopr ~]realm join --user ginola@ad.joshua.com AD.JOSHUA.COM

The --user option can be left out, but then you'll login as ADMINSTRATOR.

You can then su in as that user to check it works.

I always tidy up /etc/sssd/sssd.conf

Code:

use_fully_qualified_names = False
fallback_homedir = /home/%u

I change the first option so the users can log directly on the box with just the username, no domain needed, and the second option makes the home directory area tidier..

HTH.

igp · 10-04-2016, 07:35 AM

Hi Ginola, thanks for the reply.
I had tried this way previously and keep being told cannot join this realm.
I have since realized the realm join command need to be entered in the correct case, upper for realm & lower for domain. I think this could be DNS related. If I add the --verbose flag the discovery times out after 15 seconds. Whats odd is it accepted it once and asked for my password. It accepted it but still error ed. Annoying thing now is I cannot get it to prompt for password again to troubleshoot the same error.
Is it just the krb5.conf file that requires configuring? Do I need to edit the smb.conf files as well?
Thanks again!

Ginola · 10-12-2016, 04:32 AM

Firstly, check your /etc/resolv.conf and make sure it is hitting the AD DNS. I hang mine off the windows DHCP to inherit these values....

Code:

[root@wopr ~]$ more /etc/resolv.conf
# Generated by NetworkManager
search ad.joshua.com
nameserver 10.100.91.129
nameserver 10.100.92.129
nameserver 10.100.93.129

Secondly, make sure the clocks are in sync..

I configured samba so that the users could access their home area from windows.

Code:

[global]
	workgroup = AD
	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50
	security = ads
	passdb backend = tdbsam
	realm = AD.JOSHUA.COM
	password server = *

HTH.

igp · 10-12-2016, 05:14 AM

Thanks for the reply.
I eventually got it working. It took me many attempts but tweaking the krb5.conf, smb.conf & sssd.conf got me over the line.
I am now able to login with domain credentials and editing the sssd.conf file to not require fqdn works nicely.
Realm & sssd is definitely the way to go. Now automating the deployment of the 3 files to allow an easy bind for other machines going forward.
Thanks for your help!