Adding to Windows AD domain, trouble installing samba (3) and so on

plisken · 05-20-2014, 05:22 AM

I'm in the process of replacing 6 PC's in our enviroment and have made the choice of running RHEL 6.5 with Self Support subscriptions (had contimplated CentOS but thats another matter).

So, our enviroment consists of a Windows SBS 2003 DC, a BES running on Win2003 around 40 PC's in various flavours of Windows and a couple of Slackware storage boxes.

Currently everything works as intended so I'm looking to add the RHEL machine to our domain and have followed almost every guide I can find on our good friend google with varying results and have since got myself caught in an install/remove nightmare and in need of some help/guidance.

I've tried:

Code:

yum -y install samba samba-client samba-common samba-winbind samba-winbind-clients

This throws problems (full log shown for clarity):

Code:

 
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-desktop-rpms                                      | 3.7 kB     00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package samba-client.i686 0:3.6.9-168.el6_5 will be installed
--> Processing Dependency: samba-common = 3.6.9-168.el6_5 for package: samba-client-3.6.9-168.el6_5.i686
---> Package samba-winbind.i686 0:3.6.9-168.el6_5 will be installed
---> Package samba-winbind-clients.i686 0:3.6.9-168.el6_5 will be installed
---> Package samba4.i686 0:4.0.0-61.el6_5.rc4 will be installed
--> Running transaction check
---> Package samba-common.i686 0:3.6.9-168.el6_5 will be installed
--> Processing Conflict: samba4-client-4.0.0-61.el6_5.rc4.i686 conflicts samba-client < 3.9.9
--> Processing Conflict: samba4-common-4.0.0-61.el6_5.rc4.i686 conflicts samba-common < 3.9.9
--> Processing Conflict: samba4-winbind-4.0.0-61.el6_5.rc4.i686 conflicts samba-winbind < 3.9.9
--> Processing Conflict: samba4-winbind-clients-4.0.0-61.el6_5.rc4.i686 conflicts samba-winbind-clients < 3.9.9
--> Finished Dependency Resolution
Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-168.el6_5.i686
Error: samba4-client conflicts with samba-client-3.6.9-168.el6_5.i686
Error: samba4-winbind conflicts with samba-winbind-3.6.9-168.el6_5.i686
Error: samba4-common conflicts with samba-common-3.6.9-168.el6_5.i686
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

As you can see, samba4 is mentioned, so I have tried to install samba rpms manualy, this doesnt help, I have also tried to install samba4 instead which obviously does install with yum but can't get authentication to work with our AD domain.

I've got 2 questions really

1) Does anyone have a robust guide to get RHEL 6.5 working with a Win2003 AD domain? I just want AD users to be able to login to the machine, nothing more for the moment.

2) How can I install samba 3 and not samba 4 using yum, found no real help on the RedHat site unfortunately.

Thanks for any and all help

I eventually got samba installed without any samba 4 parts by

Code:

yum install samba-*

Code:

 rpm -qa | grep samba

now shows

Code:

samba-winbind-krb5-locator-3.6.9-168.el6_5.i686
samba-common-3.6.9-168.el6_5.i686
samba-domainjoin-gui-3.6.9-168.el6_5.i686
samba-winbind-3.6.9-168.el6_5.i686
samba-3.6.9-168.el6_5.i686
samba-doc-3.6.9-168.el6_5.i686
samba-winbind-clients-3.6.9-168.el6_5.i686

Thats where I'm at, I can now Setup > Authentication Configuration and see that I have joined the domain, but I still can't login to the mahicne using a valid domain userpass combo

Code:

 wbinfo -u

shows a list of all domain users, as expected but still can't logon using any of those credentials.

Also noticed that the smb service is not running, status shows: smbd dead but pid file exists

Removed samba and reinstalled all, following with Setup > Authentication Configuration and see smb is running ok, machine is part of the domain, but as mentioned still can't authenticate with a valid domain user/pass combo.

UPDATE

ok, here is where I am, I have machine instaled and working, connected to the AD domain, can see the computer in AD, both resolve to each other and the following commands work and give expected results:

wbinfo -u [gives AD user list]

wbinfo -g [giove AD group list]

net ads testjoin [gives Join is OK]

net ads info
[gives]

Code:

LDAP server: 192.168.16.2
LDAP server name: BFMSRV01.mydomain.local
Realm: MYDOMAIN.LOCAL
Bind Path: dc=MYDOMAIN,dc=LOCAL
LDAP port: 389
Server time: Wed, 21 May 2014 07:16:27 BST
KDC server: 192.168.16.2
Server time offset: 0

If I try and login to the machine using known username but incorrect password combo i am presented with an Access Denied text as expected and the log from this shows:

Code:

May 21 07:19:57 bfmpc20 sshd[8563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local  user=aduser
May 21 07:19:58 bfmpc20 sshd[8563]: pam_krb5[8563]: authentication fails for 'aduser' (aduser@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): user 'aduser' denied access (incorrect password or invalid membership)
May 21 07:20:00 bfmpc20 sshd[8563]: Failed password for aduser from 192.168.16.19 port 3983 ssh2
May 21 07:20:03 bfmpc20 sshd[8564]: Connection closed by 192.168.16.19

If however, I use a valid user/password combo, I am not presented with an Access Denies text but instead the session simply closes and the log from this is as follows:

Code:

May 21 07:24:54 bfmpc20 sshd[8580]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local  user=aduser
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: authentication fails for 'aduser' (aduser@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: account checks fail for 'aduser': can't resolve KDC addresses
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:account): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: Failed password for aduser from 192.168.16.19 port 4002 ssh2
May 21 07:24:55 bfmpc20 sshd[8581]: fatal: Access denied for user aduser by PAM account configuration

As a final note for THIS update, if while logged in as root, I

Code:

su aduser

I get access and the log looks like this

Code:

May 21 07:24:54 bfmpc20 sshd[8580]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local  user=aduser
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: authentication fails for 'aduser' (aduser@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: account checks fail for 'aduser': can't resolve KDC addresses
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:account): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: Failed password for aduser from 192.168.16.19 port 4002 ssh2
May 21 07:24:55 bfmpc20 sshd[8581]: fatal: Access denied for user aduser by PAM account configuration
May 21 07:27:45 bfmpc20 su: pam_unix(su:session): session opened for user aduser by plisken(uid=0)

So thats where I am, getting somewhere but not quite there...

If anyone has anything to offer, please do, I don't have that many options, kind of got myself into a position where I really need to get these RH boxes authenticating with our AD.

If you want any conf files posted, I can do.

Thanks in advance...

UPDATE

on attempting to log with a valid AD username/password combo, connection closes and the log now looks like this:

Code:

May 21 14:53:44 bfmpc20 sshd[9815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc20.mydomain.local  user=aduser
May 21 14:53:44 bfmpc20 sshd[9815]: pam_krb5[9815]: TGT failed verification using keytab and key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL': Key version number for principal in key table is incorrect
May 21 14:53:44 bfmpc20 sshd[9815]: pam_krb5[9815]: authentication fails for 'aduser' (aduser@MYDOMAIN.LOCAL): Authentication failure (Success)
May 21 14:53:44 bfmpc20 sshd[9815]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 14:53:44 bfmpc20 sshd[9815]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 14:53:44 bfmpc20 sshd[9815]: pam_winbind(sshd:auth): user 'aduser' granted access
May 21 14:53:45 bfmpc20 sshd[9815]: pam_winbind(sshd:account): user 'aduser' granted access
May 21 14:53:45 bfmpc20 sshd[9815]: Failed password for aduser from 192.168.16.47 port 35367 ssh2
May 21 14:53:45 bfmpc20 sshd[9816]: fatal: Access denied for user aduser by PAM account configuration

Any takers yet?

UPDATE

I've mad some changes, pretty much removing config files and starting repeating some steps and now have a slightly different log on authentication failure, as below.

This is, when I log in (ssh) with a known username/password combo from AD, I am not presented with any Access Denied or similar, the terminal simply closes.

/var/log/secure

Code:

May 22 07:17:38 bfmpc20 sshd[2569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local  user=aduser
May 22 07:17:38 bfmpc20 sshd[2569]: pam_krb5[2569]: TGT verified using key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL'
May 22 07:17:39 bfmpc20 sshd[2569]: pam_krb5[2569]: authentication succeeds for 'aduser' (aduser@MYDOMAIN.LOCAL)
May 22 07:17:39 bfmpc20 sshd[2569]: pam_winbind(sshd:account): user 'aduser' granted access
May 22 07:17:39 bfmpc20 sshd[2569]: Failed password for aduser from 192.168.16.19 port 3649 ssh2
May 22 07:17:39 bfmpc20 sshd[2570]: fatal: Access denied for user aduser by PAM account configuration

Same but with a graphical login attempt (I know log seems to show access but I can assure you, there is none, graphical login screen simply refreshes)

/var/log/secure

Code:

May 22 07:30:27 bfmpc20 pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=aduser
May 22 07:30:27 bfmpc20 pam: gdm-password: pam_krb5[2458]: TGT verified using key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL'
May 22 07:30:28 bfmpc20 pam: gdm-password: pam_krb5[2458]: authentication succeeds for ' aduser ' (aduser @MYDOMAIN.LOCAL)
May 22 07:30:28 bfmpc20 pam: gdm-password: pam_winbind(gdm-password:account): user ' aduser ' granted access

Is there anyone that can offer any assistance?

Or "Are there no more heroes left in the world?"

Yest another update

Code:

May 22 12:31:14 bfmpc20 sshd[3771]: pam_krb5[3771]: TGT verified using key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL'
May 22 12:31:14 bfmpc20 sshd[3771]: pam_krb5[3771]: authentication succeeds for 'aduser' (aduser@MYDOMAIN.LOCAL)
May 22 12:31:14 bfmpc20 sshd[3771]: pam_winbind(sshd:account): user 'aduser' granted access
May 22 12:31:14 bfmpc20 sshd[3771]: Failed password for aduser from 192.168.16.19 port 4604 ssh2
May 22 12:31:14 bfmpc20 sshd[3772]: fatal: Access denied for user aduser by PAM account configuration

Anyone?

angel115 · 05-23-2014, 01:54 AM

Does all users are affected by the issue or just this one?

"If possible" did you try to recreate the user? (although, if it works it will not tell us why it wasn't working)

Angel.

angel115 · 05-23-2014, 07:52 AM

Quote:

I just want AD users to be able to login to the machine, nothing more for the moment.

If this so, here is what I've done on my debian machine, and it works like a charm:

edit /etc/hosts

Code:

vi /etc/hosts

Change the line below (if needed)

PHP Code:



localhost 192.100.100.10 thismachine.mydomain.intra localhost thismachine

edit /etc/hostname and change the name of your machine (if needed)

Code:

vi /etc/hostname

PHP Code:



ThisMachine

Then install and configure Kerberos

Code:

apt-get install krb5-user libpam-krb5 ntpdate
y
vi /etc/krb5.conf

PHP Code:



[libdefaults]
        default_realm = mydomain.intra

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        MYDOMAIN.INTRA = {
                kdc = MYDOMAIN.INTRA:88
                admin_server = AD1.MYDOMAIN.INTRA
                default_domain = MYDOMAIN.INTRA
        }

[domain_realm]
        .mycompany.intra = mydomain.intra
        mycompany.intra = mydomain.intra

[login]
        krb4_convert = true
        krb4_get_tickets = false

Code:

mv /etc/pam.d/common-account /etc/pam.d/common-account.original
vi /etc/pam.d/common-account

PHP Code:



account sufficient      pam_winbind.so
account required        pam_unix.so

Code:

cp /etc/pam.d/common-auth /etc/pam.d/common-auth.original
vi /etc/pam.d/common-auth

PHP Code:



# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Code:

vi nsswitch.conf

PHP Code:



# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Bind your machine to the domain : (PS : the domain have to be in UPPERCASE otherwise i twill fail “at least it did for me”)

Code:

root@debian:~# kinit angel@MYDOMAIN.INTRA
Password for angel@MYDOMAIN.INTRA:
root@debian:~#

After that I can login using my LDAP Credentials as well as the local users.
Below are the log entri that I get:

PHP Code:



May 23 14:34:23 ThisMachine sshd[10743]: pam_krb5(sshd:auth): user angel authenticated as [email]angel@MYDOMAIN.INTRA[/email]
May 23 14:34:23 ThisMachine sshd[10743]: pam_winbind(sshd:account): user 'angel' granted access
May 23 14:34:23 ThisMachine sshd[10743]: Accepted password for angel from 192.100.157.30 port 58471 ssh2
May 23 14:34:23 ThisMachine sshd[10743]: pam_unix(sshd:session): session opened for user angel by (uid=0)

Just replace apt-get by yum and accomodate the path for readhat and that should do the tric.

I hope that help,
Angel.

angel115 · 05-23-2014, 08:14 AM

To answer your question:

Quote:

Are there no more heroes left in the world?

I really don't beleave in heroes, but just in peoples willing to do things.

Angel.

plisken · 05-23-2014, 08:16 AM

Quote:

Originally Posted by angel115

Does all users are affected by the issue or just this one?

"If possible" did you try to recreate the user? (although, if it works it will not tell us why it wasn't working)

Angel.

All users, only local ones work. I did add a new user to see but was still the same.

I have been playing around with /etc/pam.d/files and see in your comment /etc/pam.d/common-account but unforntuately I dont have a common-account file but that apart, your steps seem to be pretty close to what I've done. Going to start fresh again this evening and follow through and see how things go.

As I see it, the machine is added to the domain, I can

Code:

 wbinfo -u

Code:

 net ads testjoin

Code:

net ads info

all ok

If this wasn't a "must do" thing, I'd have moved on by now LOL

plisken · 05-26-2014, 08:25 AM

I'm still not haivng much luck here.
As a little expermient, I changed somethings in sshd_config

Code:

KerberosAuthentication  yes
KerberosOrLocalPasswd  yes
usePAM no

This then allows me to login through ssh with a valid AD user/pass combo, with the log file looking like this:

Code:

May 26 14:20:00 bfmpc20 sshd[22116]: Accepted password for aduser from 192.168.16.19 port 4087 ssh2

Does this mean anything, any ideas?

As I see it, there muse be a PAM authentication issue when trying to authenticate an AD user, by performing the test above, this proves that AD user/pass is being looked up correctly and is correct.

plisken · 06-03-2014, 07:47 AM

Has anyone here successfully managed to add a current RHEL install to an AD domain? I'm only looking to authenticate users using the AD.

If so, could you please, please advise on how you managed this.

Thanks in advance

angel115 · 06-04-2014, 07:07 AM

If the solution I provide doesn't work for you, I'll not be able to give you any more help as I only set this up a a Debian system.

Sorry about that and best of luck for the rest of your troubleshooting.

Angel.

plisken · 06-05-2014, 08:05 AM

Quote:

Originally Posted by angel115

If the solution I provide doesn't work for you, I'll not be able to give you any more help as I only set this up a a Debian system.

Sorry about that and best of luck for the rest of your troubleshooting.

Angel.

You're help and interest has been greatly appreciated, but unfortunately, I think I am stuck in pam.d hell.

thanks

mtnbiker · 09-22-2014, 05:06 PM

plisken, are you still having issues with AD and samba? I can help if so. Thanks.