I'm in the process of replacing 6 PC's in our enviroment and have made the choice of running RHEL 6.5 with Self Support subscriptions (had contimplated CentOS but thats another matter).
So, our enviroment consists of a Windows SBS 2003 DC, a BES running on Win2003 around 40 PC's in various flavours of Windows and a couple of Slackware storage boxes.
Currently everything works as intended so I'm looking to add the RHEL machine to our domain and have followed almost every guide I can find on our good friend google with varying results and have since got myself caught in an install/remove nightmare and in need of some help/guidance.
I've tried:
Code:
yum -y install samba samba-client samba-common samba-winbind samba-winbind-clients
This throws problems (full log shown for clarity):
Code:
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-desktop-rpms | 3.7 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package samba-client.i686 0:3.6.9-168.el6_5 will be installed
--> Processing Dependency: samba-common = 3.6.9-168.el6_5 for package: samba-client-3.6.9-168.el6_5.i686
---> Package samba-winbind.i686 0:3.6.9-168.el6_5 will be installed
---> Package samba-winbind-clients.i686 0:3.6.9-168.el6_5 will be installed
---> Package samba4.i686 0:4.0.0-61.el6_5.rc4 will be installed
--> Running transaction check
---> Package samba-common.i686 0:3.6.9-168.el6_5 will be installed
--> Processing Conflict: samba4-client-4.0.0-61.el6_5.rc4.i686 conflicts samba-client < 3.9.9
--> Processing Conflict: samba4-common-4.0.0-61.el6_5.rc4.i686 conflicts samba-common < 3.9.9
--> Processing Conflict: samba4-winbind-4.0.0-61.el6_5.rc4.i686 conflicts samba-winbind < 3.9.9
--> Processing Conflict: samba4-winbind-clients-4.0.0-61.el6_5.rc4.i686 conflicts samba-winbind-clients < 3.9.9
--> Finished Dependency Resolution
Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-168.el6_5.i686
Error: samba4-client conflicts with samba-client-3.6.9-168.el6_5.i686
Error: samba4-winbind conflicts with samba-winbind-3.6.9-168.el6_5.i686
Error: samba4-common conflicts with samba-common-3.6.9-168.el6_5.i686
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
As you can see, samba4 is mentioned, so I have tried to install samba rpms manualy, this doesnt help, I have also tried to install samba4 instead which obviously does install with yum but can't get authentication to work with our AD domain.
I've got 2 questions really
1) Does anyone have a robust guide to get RHEL 6.5 working with a Win2003 AD domain? I just want AD users to be able to login to the machine, nothing more for the moment.
2) How can I install samba 3 and not samba 4 using yum, found no real help on the RedHat site unfortunately.
Thanks for any and all help
I eventually got samba installed without any samba 4 parts by
Code:
yum install samba-*
Code:
rpm -qa | grep samba
now shows
Code:
samba-winbind-krb5-locator-3.6.9-168.el6_5.i686
samba-common-3.6.9-168.el6_5.i686
samba-domainjoin-gui-3.6.9-168.el6_5.i686
samba-winbind-3.6.9-168.el6_5.i686
samba-3.6.9-168.el6_5.i686
samba-doc-3.6.9-168.el6_5.i686
samba-winbind-clients-3.6.9-168.el6_5.i686
Thats where I'm at, I can now Setup > Authentication Configuration and see that I have joined the domain, but I still can't login to the mahicne using a valid domain userpass combo
shows a list of all domain users, as expected but still can't logon using any of those credentials.
Also noticed that the smb service is not running, status shows: smbd dead but pid file exists
Removed samba and reinstalled all, following with Setup > Authentication Configuration and see smb is running ok, machine is part of the domain, but as mentioned still can't authenticate with a valid domain user/pass combo.
UPDATE
ok, here is where I am, I have machine instaled and working, connected to the AD domain, can see the computer in AD, both resolve to each other and the following commands work and give expected results:
wbinfo -u [gives AD user list]
wbinfo -g [giove AD group list]
net ads testjoin [gives Join is OK]
net ads info
[gives]
Code:
LDAP server: 192.168.16.2
LDAP server name: BFMSRV01.mydomain.local
Realm: MYDOMAIN.LOCAL
Bind Path: dc=MYDOMAIN,dc=LOCAL
LDAP port: 389
Server time: Wed, 21 May 2014 07:16:27 BST
KDC server: 192.168.16.2
Server time offset: 0
If I try and login to the machine using known username but incorrect password combo i am presented with an Access Denied text as expected and the log from this shows:
Code:
May 21 07:19:57 bfmpc20 sshd[8563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local user=aduser
May 21 07:19:58 bfmpc20 sshd[8563]: pam_krb5[8563]: authentication fails for 'aduser' (aduser@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
May 21 07:19:58 bfmpc20 sshd[8563]: pam_winbind(sshd:auth): user 'aduser' denied access (incorrect password or invalid membership)
May 21 07:20:00 bfmpc20 sshd[8563]: Failed password for aduser from 192.168.16.19 port 3983 ssh2
May 21 07:20:03 bfmpc20 sshd[8564]: Connection closed by 192.168.16.19
If however, I use a valid user/password combo, I am not presented with an Access Denies text but instead the session simply closes and the log from this is as follows:
Code:
May 21 07:24:54 bfmpc20 sshd[8580]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local user=aduser
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: authentication fails for 'aduser' (aduser@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: account checks fail for 'aduser': can't resolve KDC addresses
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:account): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: Failed password for aduser from 192.168.16.19 port 4002 ssh2
May 21 07:24:55 bfmpc20 sshd[8581]: fatal: Access denied for user aduser by PAM account configuration
As a final note for THIS update, if while logged in as root, I
I get access and the log looks like this
Code:
May 21 07:24:54 bfmpc20 sshd[8580]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local user=aduser
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: authentication fails for 'aduser' (aduser@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:auth): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: pam_krb5[8580]: account checks fail for 'aduser': can't resolve KDC addresses
May 21 07:24:55 bfmpc20 sshd[8580]: pam_winbind(sshd:account): user 'aduser' granted access
May 21 07:24:55 bfmpc20 sshd[8580]: Failed password for aduser from 192.168.16.19 port 4002 ssh2
May 21 07:24:55 bfmpc20 sshd[8581]: fatal: Access denied for user aduser by PAM account configuration
May 21 07:27:45 bfmpc20 su: pam_unix(su:session): session opened for user aduser by plisken(uid=0)
So thats where I am, getting somewhere but not quite there...
If anyone has anything to offer, please do, I don't have that many options, kind of got myself into a position where I really need to get these RH boxes authenticating with our AD.
If you want any conf files posted, I can do.
Thanks in advance...
UPDATE
on attempting to log with a valid AD username/password combo, connection closes and the log now looks like this:
Code:
May 21 14:53:44 bfmpc20 sshd[9815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc20.mydomain.local user=aduser
May 21 14:53:44 bfmpc20 sshd[9815]: pam_krb5[9815]: TGT failed verification using keytab and key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL': Key version number for principal in key table is incorrect
May 21 14:53:44 bfmpc20 sshd[9815]: pam_krb5[9815]: authentication fails for 'aduser' (aduser@MYDOMAIN.LOCAL): Authentication failure (Success)
May 21 14:53:44 bfmpc20 sshd[9815]: pam_winbind(sshd:auth): getting password (0x00000210)
May 21 14:53:44 bfmpc20 sshd[9815]: pam_winbind(sshd:auth): pam_get_item returned a password
May 21 14:53:44 bfmpc20 sshd[9815]: pam_winbind(sshd:auth): user 'aduser' granted access
May 21 14:53:45 bfmpc20 sshd[9815]: pam_winbind(sshd:account): user 'aduser' granted access
May 21 14:53:45 bfmpc20 sshd[9815]: Failed password for aduser from 192.168.16.47 port 35367 ssh2
May 21 14:53:45 bfmpc20 sshd[9816]: fatal: Access denied for user aduser by PAM account configuration
Any takers yet?
UPDATE
I've mad some changes, pretty much removing config files and starting repeating some steps and now have a slightly different log on authentication failure, as below.
This is, when I log in (ssh) with a known username/password combo from AD, I am not presented with any Access Denied or similar, the terminal simply closes.
/var/log/secure
Code:
May 22 07:17:38 bfmpc20 sshd[2569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bfmpc01.mydomain.local user=aduser
May 22 07:17:38 bfmpc20 sshd[2569]: pam_krb5[2569]: TGT verified using key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL'
May 22 07:17:39 bfmpc20 sshd[2569]: pam_krb5[2569]: authentication succeeds for 'aduser' (aduser@MYDOMAIN.LOCAL)
May 22 07:17:39 bfmpc20 sshd[2569]: pam_winbind(sshd:account): user 'aduser' granted access
May 22 07:17:39 bfmpc20 sshd[2569]: Failed password for aduser from 192.168.16.19 port 3649 ssh2
May 22 07:17:39 bfmpc20 sshd[2570]: fatal: Access denied for user aduser by PAM account configuration
Same but with a graphical login attempt (I know log seems to show access but I can assure you, there is none, graphical login screen simply refreshes)
/var/log/secure
Code:
May 22 07:30:27 bfmpc20 pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=aduser
May 22 07:30:27 bfmpc20 pam: gdm-password: pam_krb5[2458]: TGT verified using key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL'
May 22 07:30:28 bfmpc20 pam: gdm-password: pam_krb5[2458]: authentication succeeds for ' aduser ' (aduser @MYDOMAIN.LOCAL)
May 22 07:30:28 bfmpc20 pam: gdm-password: pam_winbind(gdm-password:account): user ' aduser ' granted access
Is there anyone that can offer any assistance?
Or "Are there no more heroes left in the world?"
Yest another update
Code:
May 22 12:31:14 bfmpc20 sshd[3771]: pam_krb5[3771]: TGT verified using key for 'host/bfmpc20.mydomain.local@MYDOMAIN.LOCAL'
May 22 12:31:14 bfmpc20 sshd[3771]: pam_krb5[3771]: authentication succeeds for 'aduser' (aduser@MYDOMAIN.LOCAL)
May 22 12:31:14 bfmpc20 sshd[3771]: pam_winbind(sshd:account): user 'aduser' granted access
May 22 12:31:14 bfmpc20 sshd[3771]: Failed password for aduser from 192.168.16.19 port 4604 ssh2
May 22 12:31:14 bfmpc20 sshd[3772]: fatal: Access denied for user aduser by PAM account configuration
Anyone?