LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-16-2005, 09:22 AM   #1
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Rep: Reputation: 30
Joined Domain, can't login as domain user


Hi everybody, it's been a while since I lasted posted here, unfortunately. I got a new job that puts me more in the windows world than I might have liked, but it pays the bills and provides great experience, so I'll suck it up. Because I am in this windows shops, however, I figured it was prime real estate for figuring out how I can get Linux to operate seemlessly within its walls. I've managed to configure Samba, winbind, and kerberos. A kinit [user]@DOMAIN works fine, a Samba net ads join starts off okay, and then says some shpeel about "found glibc" and goes into a memory dump, but after that, when I try a wbinfo -u or -g, it spits back the correct information, so I figure it's still working okay. My next step was to create a local user which mirrors my domain user, minus password. When I attempt to login with this account, it fails, and my logs spit back the NT_NO_SUCH_USER or something along those lines. When I query ADS in my windows box, as the domain admin, my linux box shows up as a Domain Controller, which I'd like to change some how. Does anybody have any suggestions why everything would work except for user authentication, and why would my linux box show up as a domain controller when it should be a workstation? I've googled, and followed the docs to the T. Also, can anybody recommend some good ADS managment tools, command line is preferred. I am removing and adding users/computers to the domain on a daily basis and need this functionality if I'm to switch to Linux. Thanks in advance!

Mike.

Last edited by mikeyt_333; 08-16-2005 at 09:23 AM.
 
Old 08-16-2005, 02:07 PM   #2
juswastntm
LQ Newbie
 
Registered: May 2005
Location: PA
Distribution: RedHat 7
Posts: 16

Rep: Reputation: 0
Mikey,

I'm no pro, but when I added 2 new Linux boxes to my network and had to force them to talk to the Windows monster, I added Samba, Kerberos and the likes...but nothing worked until WINS was enabled and RUNNING on the monster box. For some reason Samba likes the WINS protocol. Can't hurt to try it.

As for your DC problem, thats strange...but if your windows box is listed as a Backup Domain Controller you should be able to promote it to DC after taking the Linux box down for a minute. I get eventvwr logs all the time that say my Linux boxes are fighting over control, but they don't win.

Hope this helps a bit or at least causes you to have your own brain-snap!
 
Old 08-16-2005, 03:52 PM   #3
aznluvsmc
Member
 
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184

Rep: Reputation: 30
If you're using AD to authenticate users, why do you need to create user on the local Linux machine?

Anyways, did you make the necessary changes in the following files?

smb.conf
nsswitch.conf
krb5.conf
pam_unix2.conf
PAM configuration files for login, xdm (KDE login) or gdm (Gnome login)
 
Old 08-16-2005, 04:25 PM   #4
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
Thanks for the replies guys!

I don't think it has to do with WINS, I am able to resolve things okay, the issue relates to my PDC responding with a NT_NO_SUCH_USER or some such error. This box is only a workstation, and as such should be added under that role, regardless of how it actually works on the network, is there something in smb.conf that deligates what it should join as?

I know I have edited the following files, and can post them if needed:

smb.conf
krb5.conf
/etc/pam.d/login

I'm not certain about nsswitch.conf, I'm not in linux at the moment so I can't tell.

I read somewhere that adding a local user is necessary, even when authenticating via AD, truthfully, it didn't make sense to me either, but I was trying anything. Also, having a local user will allow me to login when the PDC is inaccessable.

Thanks again for the replies, I will post errors, and conf files in a bit.
 
Old 08-16-2005, 05:44 PM   #5
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
Updates

Okay, here are my configs:

smb.conf:

Code:
[global]
workgroup = [WORKGROUP] 
realm = [FULLDOMAINNAME]
server string = Samba Server
printcap name = cups 
load printers = yes
printing = cups
cups options = raw
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
security = ADS 
password server = [PDC] 
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no 
preferred master = no
dns proxy = no 
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

[homes]
comment = Home Directories
browseable = no
read only = no
valid users = %s

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
nsswitch.conf:

Code:
passwd:     compat winbind 
shadow:     compat
group:      compat winbind 

hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus
krb5.conf:

Code:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = [MY.DOMAIN.CONTROLLER]

[realms]
 [DOMAIN] = {
  kdc = [MY.DOMAIN.CONTROLLER]
 }

[domain_realm]
 .kerberos.server = [MY.DOMAIN.CONTROLLER]
I just noticed some descrepencies in the krb5.conf, notice that my default_realm is MY.DOMAIN.CONTROLLER, and then my realms definitions only have my DOMAIN listed as a realm, I'll see what happens when this is changed, although, kinit works just fine when I do:

Code:
kinit -U [USERNAME]@[MY.DOMAIN.CONTROLLER]
/etc/pam.d/login:

Code:
#%PAM-1.0
auth       required	pam_securetty.so
auth       sufficient   pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required	pam_stack.so service=system-auth
auth       required	pam_nologin.so
account    sufficient   pam_winbind.so
account    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel
# pam_selinux.so close should be the first session rule
session    required	pam_selinux.so close
session    required	pam_stack.so service=system-auth
session    optional	pam_console.so
# pam_selinux.so open should be the last session rule
session    required	pam_selinux.so multiple open
The dump I get when trying to join:

Code:
[root@hostname etc]# net ads join -U [USERNAME]
[USERNAME]'s password:
[2005/08/16 16:20:20, 0] libads/ldap.c:ads_add_machine_acct(1512)
  Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- WSC
[2005/08/16 16:20:20, 0] libads/kerberos.c:get_service_ticket(337)
  get_service_ticket: kerberos_kinit_password [HOSTNAME]$@[DOMAIN]@[DOMAIN] failed: Client not found in Kerberos database
Joined '[HOSTNAME]' to realm '[DOMAIN]'
*** glibc detected *** net: free(): invalid pointer: 0x00523db0 ***
======= Backtrace: =========
/lib/libc.so.6[0x2ae424]
/lib/libc.so.6(__libc_free+0x77)[0x2ae95f]
/lib/libcom_err.so.2(remove_error_table+0x4b)[0x114abb]
/usr/lib/libkrb5.so.3[0x4c18c4]
/usr/lib/libkrb5.so.3[0x4c15c7]
/usr/lib/libkrb5.so.3[0x5129da]
/lib/ld-linux.so.2[0xa4d058]
/lib/libc.so.6(exit+0xc5)[0x275c69]
/lib/libc.so.6(__libc_start_main+0xce)[0x25fdee]
net[0xaff0f1]
======= Memory map: ========
00111000-00113000 r-xp 00000000 03:06 660203     /usr/lib/libkrb5support.so.0.0
00113000-00114000 rwxp 00001000 03:06 660203     /usr/lib/libkrb5support.so.0.0
00114000-00116000 r-xp 00000000 03:06 576357     /lib/libcom_err.so.2.1
00116000-00117000 rwxp 00001000 03:06 576357     /lib/libcom_err.so.2.1
00117000-0012c000 r-xp 00000000 03:06 664122     /usr/lib/libsasl2.so.2.0.20
0012c000-0012d000 rwxp 00015000 03:06 664122     /usr/lib/libsasl2.so.2.0.20
0012d000-0013f000 r-xp 00000000 03:06 650204     /usr/lib/libz.so.1.2.2.2
0013f000-00140000 rwxp 00011000 03:06 650204     /usr/lib/libz.so.1.2.2.2
00140000-00142000 r-xp 00000000 03:06 644734     /usr/lib/gconv/IBM850.so
00142000-00144000 rwxp 00001000 03:06 644734     /usr/lib/gconv/IBM850.so
00144000-0014d000 r-xp 00000000 03:06 1024053    /lib/libnss_files-2.3.5.so
0014d000-0014e000 r-xp 00008000 03:06 1024053    /lib/libnss_files-2.3.5.so
0014e000-0014f000 rwxp 00009000 03:06 1024053    /lib/libnss_files-2.3.5.so
00227000-0024a000 r-xp 00000000 03:06 660226     /usr/lib/libk5crypto.so.3.0
0024a000-0024b000 rwxp 00023000 03:06 660226     /usr/lib/libk5crypto.so.3.0
0024b000-0036f000 r-xp 00000000 03:06 1024103    /lib/libc-2.3.5.so
0036f000-00371000 r-xp 00124000 03:06 1024103    /lib/libc-2.3.5.so
00371000-00373000 rwxp 00126000 03:06 1024103    /lib/libc-2.3.5.so
00373000-00375000 rwxp 00373000 00:00 0
0037b000-0037d000 r-xp 00000000 03:06 644827     /usr/lib/gconv/UTF-16.so
0037d000-0037f000 rwxp 00001000 03:06 644827     /usr/lib/gconv/UTF-16.so
00457000-00458000 r-xp 00457000 00:00 0
004b2000-00521000 r-xp 00000000 03:06 660238     /usr/lib/libkrb5.so.3.2
00521000-00524000 rwxp 0006e000 03:06 660238     /usr/lib/libkrb5.so.3.2
00587000-005bb000 r-xp 00000000 03:06 654761     /usr/lib/libldap-2.2.so.7.0.16
005bb000-005bd000 rwxp 00033000 03:06 654761     /usr/lib/libldap-2.2.so.7.0.16
00607000-0063c000 r-xp 00000000 03:06 1025680    /lib/libssl.so.0.9.7f
0063c000-0063f000 rwxp 00035000 03:06 1025680    /lib/libssl.so.0.9.7f
006fc000-0070b000 r-xp 00000000 03:06 576355     /lib/libresolv-2.3.5.so
0070b000-0070c000 r-xp 0000e000 03:06 576355     /lib/libresolv-2.3.5.so
0070c000-0070d000 rwxp 0000f000 03:06 576355     /lib/libresolv-2.3.5.so
0070d000-0070f000 rwxp 0070d000 00:00 0
00738000-0073c000 r-xp 00000000 03:06 1024050    /lib/libnss_dns-2.3.5.so
0073c000-0073d000 r-xp 00003000 03:06 1024050    /lib/libnss_dns-2.3.5.so
0073d000-0073e000 rwxp 00004000 03:06 1024050    /lib/libnss_dns-2.3.5.so
0080d000-00812000 r-xp 00000000 03:06 576366     /lib/libcrypt-2.3.5.so
00812000-00813000 r-xp 00004000 03:06 576366     /lib/libcrypt-2.3.5.so
00813000-00814000 rwxp 00005000 03:06 576366     /lib/libcrypt-2.3.5.so
00814000-0083b000 rwxp 00814000 00:00 0
008be000-008d0000 r-xp 00000000 03:06 576360     /lib/libnsl-2.3.5.so
008d0000-008d1000 r-xp 00011000 03:06 576360     /lib/libnsl-2.3.5.so
008d1000-008d2000 rwxp 00012000 03:06 576360     /lib/libnsl-2.3.5.so
008d2000-008d4000 rwxp 008d2000 00:00 0
008d4000-009cc000 r-xp 00000000 03:06 1025679    /lib/libcrypto.so.0.9.7f
009cc000-009de000 rwxp 000f8000 03:06 1025679    /lib/libcrypto.so.0.9.7f
009de000-009e1000 rwxp 009de000 00:00 0
009ea000-00a01000 r-xp 00000000 03:06 660467     /usr/lib/libgssapi_krb5.so.2.2
00a01000-00a02000 rwxp 00017000 03:06 660467     /usr/lib/libgssapi_krb5.so.2.2
00a3f000-00a59000 r-xp 00000000 03:06 1024101    /lib/ld-2.3.5.so
00a59000-00a5a000 r-xp 00019000 03:06 1024101    /lib/ld-2.3.5.so
00a5a000-00a5b000 rwAborted
The part of the dump referring to: "Client not found in Kerberos database" is repeated about 30 times before the rest of it happens.

And finally, here's the actual error in my /var/log/messages:

Code:
Aug 16 16:23:16 [HOSTNAME] pam_winbind[2464]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER
Aug 16 16:23:16 [HOSTNAME] login(pam_unix)[2464]: authentication failure; logname= uid=0 euid=0 tty=tty2 ruser= rhost=  user=[USERNAME]
Wow, that's a doozy, thanks for any help you can provide, I will keep fighting it.

Mike.
 
Old 08-16-2005, 06:23 PM   #6
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
I just found this in my /var/log/samba/winbindd.log:

Code:
[2005/08/16 17:19:51, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
  Authentication for domain [LOCALHOST] (local domain to this server) not supported at this stage
where [LOCALHOST] refers to my machines hostname, shouldn't that be the domain I'm trying to authenticate to?

And, when I do: getent passwd I can grep for my domain user:

Code:
[root@[HOST] samba]# getent passwd | grep [USERNAME]
[DOMAIN]\[USERNAME]:*:16780718:16777218:[USERNAME]:/home/[DOMAIN]/[USERNAME]:/bin/false

Last edited by mikeyt_333; 08-16-2005 at 06:31 PM.
 
Old 08-16-2005, 06:41 PM   #7
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
k, some progress! When I did getent passwd I noticed that the format of each user was:

[DOMAIN]\[USERNAME]

So, I tried logging in with that format, and it worked, but I didn't have the perms to create the users directory so I'm working on that now.
 
Old 08-16-2005, 07:35 PM   #8
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
WOOHOO! I got it! When I finally for getent passwd printing the correct information, I tried logging in, and the screen simply flashed. This was because somewhere, the default user directory for new users was /home/[DOMAIN/[USERNAME]. The user didn't have permissions to create /home/[DOMAIN], so, creating it as root allowed the user permissions to create their user directory in /home/[DOMAIN]. This got me access to the console. Then, I couldn't log into X-windows. This was because my /etc/pam.d/gdm didn't reflect the same changes in /etc/pam.d/login. By making my /etc/pam.d/gdm the following:

Code:
#%PAM-1.0
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
I was able to login as a Domain user! I am so stoked! Now, does anybody know of good tools for managing computers and users on the domain, primarily adding and deleting users? Thanks for your help everybody, I hope somebody finds this thread useful in the future!
 
Old 08-16-2005, 08:55 PM   #9
aznluvsmc
Member
 
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184

Rep: Reputation: 30
Just as a note, you always have to login from the Linux machine using the DOMAIN\username format because Windows has to know which domain the user belongs to. The reason we don't do this in Windows is because it has a Domain field on the login box that specifies the domain to which we're logging in.
 
Old 08-17-2005, 12:42 AM   #10
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
gotcha. Any ideas why ntlm wouldn't function properly, and is there a way to make it so a domain user can log on when the system isn't connected to the domain? Thanks!
 
Old 08-17-2005, 07:48 PM   #11
aznluvsmc
Member
 
Registered: Aug 2004
Location: Newmarket, Ontario
Distribution: OpenSuse 10.2
Posts: 184

Rep: Reputation: 30
I can only think that you would need the Name Service Caching Daemon (nscd) running to cache previous logins if you want users to login when not connected to the domain. I haven't tested this myself as many people stated nscd should be turned off when using Samba authentication to AD. I don't remember why though
 
Old 08-26-2005, 01:03 AM   #12
manhou
LQ Newbie
 
Registered: Aug 2005
Location: Sydney
Posts: 3

Rep: Reputation: 0
linux logon to domain problem

Hi,
I am very new to linux system. What i am trying to do now is to set up a server that is similar to windows server. My situation is as following:

I got eight linux machine, one installed fedora 4 (set as server) and the other seven is fedora 2 (no time to reinstall).
I got another 4-5 winXP machines.

What i want to know is, how can i setup the linux server such that all the user accounts are only created/deleted inside the server instead of creating the user account in every machines? Using samba?NIS? And after the server is setup, how can i configure the linux clients such that i can choose which domain i want to log on? Thank you for responses and hope can find help here.

Mike
 
Old 08-26-2005, 08:25 AM   #13
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Original Poster
Rep: Reputation: 30
First, your best chance of getting help with an issue like this is to open a new thread, rather than posting in a thread that has a totally different focus. People will read this thread to help with the question at hand, which is what they would do if they saw a new thread with your own heading. Go here, and read through the document, it will tell you everything you need to know:

http://us3.samba.org/samba/docs/man/...ion/index.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How would I make my pc joined the domain? regnox Linux - Newbie 2 08-24-2005 08:19 AM
Joined the domain, NTLM not working. mikeyt_333 Linux - Networking 7 08-19-2005 10:04 AM
Cant get entry in bind to work with domain.com instead of www.domain.com pxes351 Linux - Networking 12 05-09-2005 06:20 AM
Change user@host.domain to user@domain Wynand1 Linux - Networking 7 09-13-2004 11:56 PM
winbind + samba + gdm unable to login with Domain user theowl Linux - Networking 1 06-11-2004 08:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration