Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-16-2005, 09:22 AM
|
#1
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Rep:
|
Joined Domain, can't login as domain user
Hi everybody, it's been a while since I lasted posted here, unfortunately. I got a new job that puts me more in the windows world than I might have liked, but it pays the bills and provides great experience, so I'll suck it up. Because I am in this windows shops, however, I figured it was prime real estate for figuring out how I can get Linux to operate seemlessly within its walls. I've managed to configure Samba, winbind, and kerberos. A kinit [user]@DOMAIN works fine, a Samba net ads join starts off okay, and then says some shpeel about "found glibc" and goes into a memory dump, but after that, when I try a wbinfo -u or -g, it spits back the correct information, so I figure it's still working okay. My next step was to create a local user which mirrors my domain user, minus password. When I attempt to login with this account, it fails, and my logs spit back the NT_NO_SUCH_USER or something along those lines. When I query ADS in my windows box, as the domain admin, my linux box shows up as a Domain Controller, which I'd like to change some how. Does anybody have any suggestions why everything would work except for user authentication, and why would my linux box show up as a domain controller when it should be a workstation? I've googled, and followed the docs to the T. Also, can anybody recommend some good ADS managment tools, command line is preferred. I am removing and adding users/computers to the domain on a daily basis and need this functionality if I'm to switch to Linux. Thanks in advance!
Mike.
Last edited by mikeyt_333; 08-16-2005 at 09:23 AM.
|
|
|
08-16-2005, 02:07 PM
|
#2
|
LQ Newbie
Registered: May 2005
Location: PA
Distribution: RedHat 7
Posts: 16
Rep:
|
Mikey,
I'm no pro, but when I added 2 new Linux boxes to my network and had to force them to talk to the Windows monster, I added Samba, Kerberos and the likes...but nothing worked until WINS was enabled and RUNNING on the monster box. For some reason Samba likes the WINS protocol. Can't hurt to try it.
As for your DC problem, thats strange...but if your windows box is listed as a Backup Domain Controller you should be able to promote it to DC after taking the Linux box down for a minute. I get eventvwr logs all the time that say my Linux boxes are fighting over control, but they don't win.
Hope this helps a bit or at least causes you to have your own brain-snap!
|
|
|
08-16-2005, 03:52 PM
|
#3
|
Member
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184
Rep:
|
If you're using AD to authenticate users, why do you need to create user on the local Linux machine?
Anyways, did you make the necessary changes in the following files?
smb.conf
nsswitch.conf
krb5.conf
pam_unix2.conf
PAM configuration files for login, xdm (KDE login) or gdm (Gnome login)
|
|
|
08-16-2005, 04:25 PM
|
#4
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
Thanks for the replies guys!
I don't think it has to do with WINS, I am able to resolve things okay, the issue relates to my PDC responding with a NT_NO_SUCH_USER or some such error. This box is only a workstation, and as such should be added under that role, regardless of how it actually works on the network, is there something in smb.conf that deligates what it should join as?
I know I have edited the following files, and can post them if needed:
smb.conf
krb5.conf
/etc/pam.d/login
I'm not certain about nsswitch.conf, I'm not in linux at the moment so I can't tell.
I read somewhere that adding a local user is necessary, even when authenticating via AD, truthfully, it didn't make sense to me either, but I was trying anything. Also, having a local user will allow me to login when the PDC is inaccessable.
Thanks again for the replies, I will post errors, and conf files in a bit.
|
|
|
08-16-2005, 05:44 PM
|
#5
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
Updates
Okay, here are my configs:
smb.conf:
Code:
[global]
workgroup = [WORKGROUP]
realm = [FULLDOMAINNAME]
server string = Samba Server
printcap name = cups
load printers = yes
printing = cups
cups options = raw
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = [PDC]
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
[homes]
comment = Home Directories
browseable = no
read only = no
valid users = %s
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
nsswitch.conf:
Code:
passwd: compat winbind
shadow: compat
group: compat winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
krb5.conf:
Code:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = [MY.DOMAIN.CONTROLLER]
[realms]
[DOMAIN] = {
kdc = [MY.DOMAIN.CONTROLLER]
}
[domain_realm]
.kerberos.server = [MY.DOMAIN.CONTROLLER]
I just noticed some descrepencies in the krb5.conf, notice that my default_realm is MY.DOMAIN.CONTROLLER, and then my realms definitions only have my DOMAIN listed as a realm, I'll see what happens when this is changed, although, kinit works just fine when I do:
Code:
kinit -U [USERNAME]@[MY.DOMAIN.CONTROLLER]
/etc/pam.d/login:
Code:
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient /lib/security/pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
The dump I get when trying to join:
Code:
[root@hostname etc]# net ads join -U [USERNAME]
[USERNAME]'s password:
[2005/08/16 16:20:20, 0] libads/ldap.c:ads_add_machine_acct(1512)
Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- WSC
[2005/08/16 16:20:20, 0] libads/kerberos.c:get_service_ticket(337)
get_service_ticket: kerberos_kinit_password [HOSTNAME]$@[DOMAIN]@[DOMAIN] failed: Client not found in Kerberos database
Joined '[HOSTNAME]' to realm '[DOMAIN]'
*** glibc detected *** net: free(): invalid pointer: 0x00523db0 ***
======= Backtrace: =========
/lib/libc.so.6[0x2ae424]
/lib/libc.so.6(__libc_free+0x77)[0x2ae95f]
/lib/libcom_err.so.2(remove_error_table+0x4b)[0x114abb]
/usr/lib/libkrb5.so.3[0x4c18c4]
/usr/lib/libkrb5.so.3[0x4c15c7]
/usr/lib/libkrb5.so.3[0x5129da]
/lib/ld-linux.so.2[0xa4d058]
/lib/libc.so.6(exit+0xc5)[0x275c69]
/lib/libc.so.6(__libc_start_main+0xce)[0x25fdee]
net[0xaff0f1]
======= Memory map: ========
00111000-00113000 r-xp 00000000 03:06 660203 /usr/lib/libkrb5support.so.0.0
00113000-00114000 rwxp 00001000 03:06 660203 /usr/lib/libkrb5support.so.0.0
00114000-00116000 r-xp 00000000 03:06 576357 /lib/libcom_err.so.2.1
00116000-00117000 rwxp 00001000 03:06 576357 /lib/libcom_err.so.2.1
00117000-0012c000 r-xp 00000000 03:06 664122 /usr/lib/libsasl2.so.2.0.20
0012c000-0012d000 rwxp 00015000 03:06 664122 /usr/lib/libsasl2.so.2.0.20
0012d000-0013f000 r-xp 00000000 03:06 650204 /usr/lib/libz.so.1.2.2.2
0013f000-00140000 rwxp 00011000 03:06 650204 /usr/lib/libz.so.1.2.2.2
00140000-00142000 r-xp 00000000 03:06 644734 /usr/lib/gconv/IBM850.so
00142000-00144000 rwxp 00001000 03:06 644734 /usr/lib/gconv/IBM850.so
00144000-0014d000 r-xp 00000000 03:06 1024053 /lib/libnss_files-2.3.5.so
0014d000-0014e000 r-xp 00008000 03:06 1024053 /lib/libnss_files-2.3.5.so
0014e000-0014f000 rwxp 00009000 03:06 1024053 /lib/libnss_files-2.3.5.so
00227000-0024a000 r-xp 00000000 03:06 660226 /usr/lib/libk5crypto.so.3.0
0024a000-0024b000 rwxp 00023000 03:06 660226 /usr/lib/libk5crypto.so.3.0
0024b000-0036f000 r-xp 00000000 03:06 1024103 /lib/libc-2.3.5.so
0036f000-00371000 r-xp 00124000 03:06 1024103 /lib/libc-2.3.5.so
00371000-00373000 rwxp 00126000 03:06 1024103 /lib/libc-2.3.5.so
00373000-00375000 rwxp 00373000 00:00 0
0037b000-0037d000 r-xp 00000000 03:06 644827 /usr/lib/gconv/UTF-16.so
0037d000-0037f000 rwxp 00001000 03:06 644827 /usr/lib/gconv/UTF-16.so
00457000-00458000 r-xp 00457000 00:00 0
004b2000-00521000 r-xp 00000000 03:06 660238 /usr/lib/libkrb5.so.3.2
00521000-00524000 rwxp 0006e000 03:06 660238 /usr/lib/libkrb5.so.3.2
00587000-005bb000 r-xp 00000000 03:06 654761 /usr/lib/libldap-2.2.so.7.0.16
005bb000-005bd000 rwxp 00033000 03:06 654761 /usr/lib/libldap-2.2.so.7.0.16
00607000-0063c000 r-xp 00000000 03:06 1025680 /lib/libssl.so.0.9.7f
0063c000-0063f000 rwxp 00035000 03:06 1025680 /lib/libssl.so.0.9.7f
006fc000-0070b000 r-xp 00000000 03:06 576355 /lib/libresolv-2.3.5.so
0070b000-0070c000 r-xp 0000e000 03:06 576355 /lib/libresolv-2.3.5.so
0070c000-0070d000 rwxp 0000f000 03:06 576355 /lib/libresolv-2.3.5.so
0070d000-0070f000 rwxp 0070d000 00:00 0
00738000-0073c000 r-xp 00000000 03:06 1024050 /lib/libnss_dns-2.3.5.so
0073c000-0073d000 r-xp 00003000 03:06 1024050 /lib/libnss_dns-2.3.5.so
0073d000-0073e000 rwxp 00004000 03:06 1024050 /lib/libnss_dns-2.3.5.so
0080d000-00812000 r-xp 00000000 03:06 576366 /lib/libcrypt-2.3.5.so
00812000-00813000 r-xp 00004000 03:06 576366 /lib/libcrypt-2.3.5.so
00813000-00814000 rwxp 00005000 03:06 576366 /lib/libcrypt-2.3.5.so
00814000-0083b000 rwxp 00814000 00:00 0
008be000-008d0000 r-xp 00000000 03:06 576360 /lib/libnsl-2.3.5.so
008d0000-008d1000 r-xp 00011000 03:06 576360 /lib/libnsl-2.3.5.so
008d1000-008d2000 rwxp 00012000 03:06 576360 /lib/libnsl-2.3.5.so
008d2000-008d4000 rwxp 008d2000 00:00 0
008d4000-009cc000 r-xp 00000000 03:06 1025679 /lib/libcrypto.so.0.9.7f
009cc000-009de000 rwxp 000f8000 03:06 1025679 /lib/libcrypto.so.0.9.7f
009de000-009e1000 rwxp 009de000 00:00 0
009ea000-00a01000 r-xp 00000000 03:06 660467 /usr/lib/libgssapi_krb5.so.2.2
00a01000-00a02000 rwxp 00017000 03:06 660467 /usr/lib/libgssapi_krb5.so.2.2
00a3f000-00a59000 r-xp 00000000 03:06 1024101 /lib/ld-2.3.5.so
00a59000-00a5a000 r-xp 00019000 03:06 1024101 /lib/ld-2.3.5.so
00a5a000-00a5b000 rwAborted
The part of the dump referring to: "Client not found in Kerberos database" is repeated about 30 times before the rest of it happens.
And finally, here's the actual error in my /var/log/messages:
Code:
Aug 16 16:23:16 [HOSTNAME] pam_winbind[2464]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER
Aug 16 16:23:16 [HOSTNAME] login(pam_unix)[2464]: authentication failure; logname= uid=0 euid=0 tty=tty2 ruser= rhost= user=[USERNAME]
Wow, that's a doozy, thanks for any help you can provide, I will keep fighting it.
Mike.
|
|
|
08-16-2005, 06:23 PM
|
#6
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
I just found this in my /var/log/samba/winbindd.log:
Code:
[2005/08/16 17:19:51, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
Authentication for domain [LOCALHOST] (local domain to this server) not supported at this stage
where [LOCALHOST] refers to my machines hostname, shouldn't that be the domain I'm trying to authenticate to?
And, when I do: getent passwd I can grep for my domain user:
Code:
[root@[HOST] samba]# getent passwd | grep [USERNAME]
[DOMAIN]\[USERNAME]:*:16780718:16777218:[USERNAME]:/home/[DOMAIN]/[USERNAME]:/bin/false
Last edited by mikeyt_333; 08-16-2005 at 06:31 PM.
|
|
|
08-16-2005, 06:41 PM
|
#7
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
k, some progress! When I did getent passwd I noticed that the format of each user was:
[DOMAIN]\[USERNAME]
So, I tried logging in with that format, and it worked, but I didn't have the perms to create the users directory so I'm working on that now.
|
|
|
08-16-2005, 07:35 PM
|
#8
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
WOOHOO! I got it! When I finally for getent passwd printing the correct information, I tried logging in, and the screen simply flashed. This was because somewhere, the default user directory for new users was /home/[DOMAIN/[USERNAME]. The user didn't have permissions to create /home/[DOMAIN], so, creating it as root allowed the user permissions to create their user directory in /home/[DOMAIN]. This got me access to the console. Then, I couldn't log into X-windows. This was because my /etc/pam.d/gdm didn't reflect the same changes in /etc/pam.d/login. By making my /etc/pam.d/gdm the following:
Code:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_stack.so service=system-auth
session optional pam_console.so
I was able to login as a Domain user! I am so stoked! Now, does anybody know of good tools for managing computers and users on the domain, primarily adding and deleting users? Thanks for your help everybody, I hope somebody finds this thread useful in the future!
|
|
|
08-16-2005, 08:55 PM
|
#9
|
Member
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184
Rep:
|
Just as a note, you always have to login from the Linux machine using the DOMAIN\username format because Windows has to know which domain the user belongs to. The reason we don't do this in Windows is because it has a Domain field on the login box that specifies the domain to which we're logging in.
|
|
|
08-17-2005, 12:42 AM
|
#10
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
gotcha. Any ideas why ntlm wouldn't function properly, and is there a way to make it so a domain user can log on when the system isn't connected to the domain? Thanks!
|
|
|
08-17-2005, 07:48 PM
|
#11
|
Member
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184
Rep:
|
I can only think that you would need the Name Service Caching Daemon (nscd) running to cache previous logins if you want users to login when not connected to the domain. I haven't tested this myself as many people stated nscd should be turned off when using Samba authentication to AD. I don't remember why though
|
|
|
08-26-2005, 01:03 AM
|
#12
|
LQ Newbie
Registered: Aug 2005
Location: Sydney
Posts: 3
Rep:
|
linux logon to domain problem
Hi,
I am very new to linux system. What i am trying to do now is to set up a server that is similar to windows server. My situation is as following:
I got eight linux machine, one installed fedora 4 (set as server) and the other seven is fedora 2 (no time to reinstall).
I got another 4-5 winXP machines.
What i want to know is, how can i setup the linux server such that all the user accounts are only created/deleted inside the server instead of creating the user account in every machines? Using samba?NIS? And after the server is setup, how can i configure the linux clients such that i can choose which domain i want to log on? Thank you for responses and hope can find help here.
Mike
|
|
|
08-26-2005, 08:25 AM
|
#13
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Original Poster
Rep:
|
First, your best chance of getting help with an issue like this is to open a new thread, rather than posting in a thread that has a totally different focus. People will read this thread to help with the question at hand, which is what they would do if they saw a new thread with your own heading. Go here, and read through the document, it will tell you everything you need to know:
http://us3.samba.org/samba/docs/man/...ion/index.html
|
|
|
All times are GMT -5. The time now is 05:52 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|