LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   SUSE / openSUSE (https://www.linuxquestions.org/questions/suse-opensuse-60/)
-   -   Active Directory Authentication (https://www.linuxquestions.org/questions/suse-opensuse-60/active-directory-authentication-363721/)

zenix 12-06-2005 02:47 PM

See if the info here helps: http://www.enterprisenetworkingplane...le.php/3487081

gblanton 12-06-2005 03:40 PM

Quote:

Originally Posted by tcaleb
I am just starting to use SUSE Linux, and have had this question brought up to see if it is possible. I have a Windows AD (2003) and I can get the computer object into AD, but I cannot authenticate with an AD account only. I have followed alot of the steps outlined here, but I am getting an error:

Kerberos_kinit_password host hostname failed. Client not found in Kerberos database.

Any ideas?

Thanks

Check your Kerberos config file and make sure that your realm and admin_server are typed in correctly. Also check that your DNS server is working correctly (ping the admin_server using the host name).

tcaleb 12-07-2005 11:19 AM

I am in the process of reloading SUSE Pro 9.3, so I cannot try things right now. 1 question I have for you about the Active Directory domain name. We used an XXXXX.LOCAL domain name, does it matter? I know with MAC's it did. Also, I went to a terminal window, and issues a kinit with a username that is in the domain and not on the linux box, and it appended the domain name correctly, and it authorized me correctly, so I am assuming that the .conf file is correct.

Thanks

gblanton 12-07-2005 12:19 PM

I am not sure about the .LOCAL domain name. However I don't think that would be a problem if the DNS is working correctly. Did you modify PAM to use windbind for authentication? I used SuSE 9.3 Pro. Setup the samba server as a domain member and was able to authenticate via the domain. I installed windbind library from Samba, setup keberos, modified the PAM files, and joined the domain. After that a user could access shared files and use the dialup server being authenticated via the domain. Just a note that may save you some time, I used all of the pre-installed packages. I did not have to rebiuld anything.

LanoX 01-12-2006 05:10 PM

Hey Zenix do yo still offer ur help plz let me know?

thanks heaps

suzannew 02-09-2006 08:59 PM

Hi,

I have SUSE 9.3, integrated with AD. All wbinfo commands work, all getent commands work, the net join worked, ticket refreshes work, mapping a drive from xp to the suse box using domain account works, but I cannot get ssh or normal logins to work - I can't seem to find the right combination for the pam.d configuration. I have set this up successfully before on RHEL, but as there is no system-auth file in Suse, I tried putting equivalent entries into the pam.d/common* files. This hasn't worked - do I need to load winbind in pam at all because the pam_unix2.conf file has use_krb5 statements ?
Can anyone advise ?

awkenney 02-17-2006 09:26 AM

I've run through several problems with this situation in Suse 10.0 and would also like to know how this is done. I've been able to join the workstation to the domain, but that effectively does absolutely nothing if I can't plug the Windows Domain username and password into an init 5 type screen and get it to assign priviledges and the sort. My woes also come by way of PAM.

Something tells me that I would be able to do this in Fedora 4, but since I can't get Fedora to install without complaining about 5 different hardware scenarios only to botch my Windows partition, I'll pass. I may be required to fall back on Fedora though. We'll see.

I recommend http://weblog.bignerdranch.com/?p=6 to get you started. If you are using SUSE however, there will come a point where you will not be able to execute the directions as they are written. I am attempting to find out what these instructions should be for Suse 10.

suzannew 02-19-2006 06:52 PM

Thanks for the link but it didn't help.
The link info uses the pam.d/system-auth file, which is not present in SUSE (hence my original question/issue). I can su to the domain user, so I know authentication from the box can work. It is just that I can't find the right combination for the pam files, as everything else works without issue. I have several RHEL3 boxes set up that work perfectly (including console login & ssh as domain user w/ assoc. perms.), but this SUSE box is impossible.

stevemg7 03-24-2006 04:09 AM

I have read all of the info here and perhaps I am trying to do something a bit different but I am having issues. I am not a Linux guru or anything but I built a SUSE Linux 10 box and am trying to get it to join our Active Directory 2003 domain and act as a simple file server for internal use to let me backup files to it from an XP or Server 2003 machine.

Nobody is really going to sit at this machine and do any work but we have a bunch of big drives in there and want to be able to copy files from a Windows domain to the SUSE Linux box for short term backup purposes. So I wanted to join it to our domain in order to share out a folder and have an Active Directory user be able to communicate with this box without being prompted to re-authenticate with a local SUSE username/password. Is this possible and/or do I follow the same procedures as above?

Zenix-I am in the exact same boat as you in terms of attempting various things-I tried the Samba Server and Samba Client via YAST as well as the LDAP client and various other methods but I am sure that I am missing something. Most of the documentation out there appears to describe how users can sit locally at a SUSE Linux box and login but I am attempting the opposite-just to have a folder shared to a certain user or group that exists in our domain. Anyone with any pointers or suggestions would be really helpful and appreciated.

suzannew 03-26-2006 08:47 PM

Hi,

Use YasT to install kerberos, then make then following file edits, restart winbind & samba, then do the kinit & net join.
Following are file extracts of working Suse 9.3/Win2k3 AD integration. Make sure you keep the time running, and I run a ticket renewal script every 8 hrs.
Have fun.

Dump of Suse 9.3/AD Files
Mon Mar 27 11:34:04 EST 2006

************************************
common-account
*----------------------------------*
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account sufficient pam_winbind.so
account required pam_unix2.so
************************************

************************************
common-auth
*----------------------------------*
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_winbind.so
auth required pam_unix2.so
************************************

************************************
common-password
*----------------------------------*
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix2 in combination
# with pam_pwcheck.

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# To enable Blowfish or MD5 passwords, you should edit
# /etc/default/passwd.
#
# Alternate strength checking for passwords should be configured
# in /etc/security/pam_pwcheck.conf.
#
# pam_make can be used to rebuild NIS maps after password change.
#
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
#password required pam_make.so /var/yp

************************************

************************************
common-session
*----------------------------------*
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix2.
#
session required pam_limits.so
session sufficient pam_winbind.so
session required pam_unix2.so
************************************

************************************
krb5.conf
*----------------------------------*
# WARNING: this configuration file was automatically converted from Heimdal to MIT kerberos.
# It is possible that this configuration file does not work
# Please check the values.
[libdefaults]
default_realm = DOMAINNAME.COM.AU
clockskew = 300
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
# Set this to false to disable MIT krb5 compatibility
# in GSSAPI get_mic/verify_mic, and become compatible
# with older Heimdal releases instead.
gss_mit_compat = true

[realms]
DOMAINNAME.COM.AU = {
kdc = ourdc1.domainname.com.au:88
default_domain = domainname.com.au
admin_server = ourdc1.domainname.com.au:749
}
MY.REALM = {
kdc = MY.COMPUTER
}
OTHER.REALM = {
v4_instance_convert = {
kerberos = kerberos
computer = computer.some.other.domain
}
}
[domain_realm]
.my.domain = MY.REALM
.domainname.com.au = domainname.com.au
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
************************************

************************************
login
*----------------------------------*
#%PAM-1.0
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
session required pam_resmgr.so
************************************

************************************
nsswitch.conf
*----------------------------------*
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the /var/db databases
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

passwd: files winbind
group: files winbind

hosts: files lwres dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files

bootparams: files
automount: files nis
aliases: files

************************************

************************************
passwd
*----------------------------------*
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
************************************

************************************
samba
*----------------------------------*
#%PAM-1.0
auth sufficient pam_winbind.so
auth include common-auth
account sufficient pam_winbind.so
account include common-account
password include common-password
session include common-session

************************************

************************************
smb.conf
*----------------------------------*
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2005-04-04
[global]
log level = 10
workgroup = domainname.com.au
load printers = no
username map = /etc/samba/smbusers
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
domain master = no
local master = no
ldap ssl = No
server signing = Auto
security = ads
password server = 10.10.10.01
realm = domainname.com.au
server string = Samba-SUSE
netbios name = SYSTEMNAME
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client schannel = no
winbind cache time = 10
winbind enable local accounts = yes

[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
inherit acls = Yes

[tmp]
path = /tmp
valid users = DOMAIN\%U
read only = no
case sensitive = no
msdfs proxy = no
************************************

************************************
ssh_config
*----------------------------------*
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

Host *
# ForwardAgent no
# ForwardX11 no

# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.
ForwardX11Trusted yes
SendEnv LC_IDENTIFICATION LC_ALL
Protocol 2
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
************************************

************************************
sshd
*----------------------------------*
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
************************************

************************************
sshd_config
*----------------------------------*
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
ChallengeResponseAuthentication=yes
UsePAM yes

X11Forwarding yes

SoloTOandO 01-24-2007 09:23 AM

I would be interested in the documentation as well. I'm a very new Linux user. I have a Windows 2003 server/domain and I would like to add my SUSE 10.2 box to it as well as us AD for authentication. So if someone can tell me the link to the documentation (assuming it's completed) or point me in the right direction, I'd very much appreciate it. Thanks in advance.

ghys 02-05-2007 12:14 PM

I would also LOOOOOOOOOOOOV to gewt some how-to on the working scenario.
I have been working( well pulling out all of my hairs) for the past weeks, and i stoppped counting the hours trying to get some sort of authentication from my Suse 10 Ent. Server to the Win2003 AD, i only want to share folders, get a backupp folder to dump backup files and get a SINGLE user/admin authentication for local users....

Why is it so complicated?
Been stuck with 2 OS's is hell. and i cannot change the Windows, because some applications are stored there and Win only(DOS).

thanks for your great help.

cordth 02-07-2007 11:42 AM

Authentication on a Windows 2003 Domain
 
Daniel,

Can you point me to your directions or e-mail me the steps.... I've been looking all around and I'd like to see if your installation guide will work for me.

Thanks,

Cordt
----------------
Quote:

Originally Posted by zenix
The good news is... we got this to work.

Me and my partner spent almost 20 hours straight getting there, but we did. As it turns out (I know no one else has had this happen) it took several pieces of incomplete documentation to get it to work, but it does. The even better news is that this has been deployed as production server for one of our remote offices. Since this environment requires Active Directory, it was nice to finally find a way of integrating Linux (more specifically, Suse) where it fits. This server build will become our template for deploying new remote offices... very cool!!! This setup works sooo well. Complete, seamless integration with the AD environment (a member of the AD domain, fully capable of using AD usernames/passwords and security). The user at the desktop doesn't have anyway of telling it's Linux box in the back, it behaves exactly the same. We even left it running headless (no keyboard, monitor or mouse). Doing all administration via ssh.

If there's enough interest, I will take the time to write a real how-to specifically for Suse. So, let me know in this thread if you would be interested in seeing this documentation brought to life.

Thanks to those who offered their help.

My new moto: Moving Linux from the edge to the heart of the enterprise.

~Daniel


ghys 02-08-2007 08:00 AM

i have found this small X application to help configure all files to connect to AD.
It is called SADMS (http://sadms.sourceforge.net/).

It works ! But for my part isee the Samba inside the AD and network browser, but i still need to enter user/pass and it does not give me the OK to enter. So there is still a bug somewhere in my fles. The good thing is that the SADMS configures all files then you can tweak them as you whish.

Like cordth, i would like some new pointers.

ghys 03-22-2007 10:00 AM

looks like this topic is dead...
am i the only one out there trying to make this Samba/AD combo work?

Anyone got up to date info?
many thanks.

p.s: still would love to get the "promised" how-to guide :D


All times are GMT -5. The time now is 10:54 AM.