Joined Domain, can't login as domain user

mikeyt_333 · 08-16-2005, 09:22 AM

Hi everybody, it's been a while since I lasted posted here, unfortunately. I got a new job that puts me more in the windows world than I might have liked, but it pays the bills and provides great experience, so I'll suck it up. Because I am in this windows shops, however, I figured it was prime real estate for figuring out how I can get Linux to operate seemlessly within its walls. I've managed to configure Samba, winbind, and kerberos. A kinit [user]@DOMAIN works fine, a Samba net ads join starts off okay, and then says some shpeel about "found glibc" and goes into a memory dump, but after that, when I try a wbinfo -u or -g, it spits back the correct information, so I figure it's still working okay. My next step was to create a local user which mirrors my domain user, minus password. When I attempt to login with this account, it fails, and my logs spit back the NT_NO_SUCH_USER or something along those lines. When I query ADS in my windows box, as the domain admin, my linux box shows up as a Domain Controller, which I'd like to change some how. Does anybody have any suggestions why everything would work except for user authentication, and why would my linux box show up as a domain controller when it should be a workstation? I've googled, and followed the docs to the T. Also, can anybody recommend some good ADS managment tools, command line is preferred. I am removing and adding users/computers to the domain on a daily basis and need this functionality if I'm to switch to Linux. Thanks in advance!

Mike.

juswastntm · 08-16-2005, 02:07 PM

Mikey,

I'm no pro, but when I added 2 new Linux boxes to my network and had to force them to talk to the Windows monster, I added Samba, Kerberos and the likes...but nothing worked until WINS was enabled and RUNNING on the monster box. For some reason Samba likes the WINS protocol. Can't hurt to try it.

As for your DC problem, thats strange...but if your windows box is listed as a Backup Domain Controller you should be able to promote it to DC after taking the Linux box down for a minute. I get eventvwr logs all the time that say my Linux boxes are fighting over control, but they don't win.

Hope this helps a bit or at least causes you to have your own brain-snap!

aznluvsmc · 08-16-2005, 03:52 PM

If you're using AD to authenticate users, why do you need to create user on the local Linux machine?

Anyways, did you make the necessary changes in the following files?

smb.conf
nsswitch.conf
krb5.conf
pam_unix2.conf
PAM configuration files for login, xdm (KDE login) or gdm (Gnome login)

mikeyt_333 · 08-16-2005, 04:25 PM

Thanks for the replies guys!

I don't think it has to do with WINS, I am able to resolve things okay, the issue relates to my PDC responding with a NT_NO_SUCH_USER or some such error. This box is only a workstation, and as such should be added under that role, regardless of how it actually works on the network, is there something in smb.conf that deligates what it should join as?

I know I have edited the following files, and can post them if needed:

smb.conf
krb5.conf
/etc/pam.d/login

I'm not certain about nsswitch.conf, I'm not in linux at the moment so I can't tell.

I read somewhere that adding a local user is necessary, even when authenticating via AD, truthfully, it didn't make sense to me either, but I was trying anything. Also, having a local user will allow me to login when the PDC is inaccessable.

Thanks again for the replies, I will post errors, and conf files in a bit.

mikeyt_333 · 08-16-2005, 05:44 PM

Okay, here are my configs:

smb.conf:

Code:

[global]
workgroup = [WORKGROUP] 
realm = [FULLDOMAINNAME]
server string = Samba Server
printcap name = cups 
load printers = yes
printing = cups
cups options = raw
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
security = ADS 
password server = [PDC] 
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no 
preferred master = no
dns proxy = no 
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

[homes]
comment = Home Directories
browseable = no
read only = no
valid users = %s

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

nsswitch.conf:

Code:

passwd:     compat winbind 
shadow:     compat
group:      compat winbind 

hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

krb5.conf:

Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = [MY.DOMAIN.CONTROLLER]

[realms]
 [DOMAIN] = {
  kdc = [MY.DOMAIN.CONTROLLER]
 }

[domain_realm]
 .kerberos.server = [MY.DOMAIN.CONTROLLER]

I just noticed some descrepencies in the krb5.conf, notice that my default_realm is MY.DOMAIN.CONTROLLER, and then my realms definitions only have my DOMAIN listed as a realm, I'll see what happens when this is changed, although, kinit works just fine when I do:

Code:

kinit -U [USERNAME]@[MY.DOMAIN.CONTROLLER]

/etc/pam.d/login:

Code:

#%PAM-1.0
auth       required	pam_securetty.so
auth       sufficient   pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so use_first_pass
auth       required	pam_stack.so service=system-auth
auth       required	pam_nologin.so
account    sufficient   pam_winbind.so
account    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel
# pam_selinux.so close should be the first session rule
session    required	pam_selinux.so close
session    required	pam_stack.so service=system-auth
session    optional	pam_console.so
# pam_selinux.so open should be the last session rule
session    required	pam_selinux.so multiple open

The dump I get when trying to join:

Code:

[root@hostname etc]# net ads join -U [USERNAME]
[USERNAME]'s password:
[2005/08/16 16:20:20, 0] libads/ldap.c:ads_add_machine_acct(1512)
  Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- WSC
[2005/08/16 16:20:20, 0] libads/kerberos.c:get_service_ticket(337)
  get_service_ticket: kerberos_kinit_password [HOSTNAME]$@[DOMAIN]@[DOMAIN] failed: Client not found in Kerberos database
Joined '[HOSTNAME]' to realm '[DOMAIN]'
*** glibc detected *** net: free(): invalid pointer: 0x00523db0 ***
======= Backtrace: =========
/lib/libc.so.6[0x2ae424]
/lib/libc.so.6(__libc_free+0x77)[0x2ae95f]
/lib/libcom_err.so.2(remove_error_table+0x4b)[0x114abb]
/usr/lib/libkrb5.so.3[0x4c18c4]
/usr/lib/libkrb5.so.3[0x4c15c7]
/usr/lib/libkrb5.so.3[0x5129da]
/lib/ld-linux.so.2[0xa4d058]
/lib/libc.so.6(exit+0xc5)[0x275c69]
/lib/libc.so.6(__libc_start_main+0xce)[0x25fdee]
net[0xaff0f1]
======= Memory map: ========
00111000-00113000 r-xp 00000000 03:06 660203     /usr/lib/libkrb5support.so.0.0
00113000-00114000 rwxp 00001000 03:06 660203     /usr/lib/libkrb5support.so.0.0
00114000-00116000 r-xp 00000000 03:06 576357     /lib/libcom_err.so.2.1
00116000-00117000 rwxp 00001000 03:06 576357     /lib/libcom_err.so.2.1
00117000-0012c000 r-xp 00000000 03:06 664122     /usr/lib/libsasl2.so.2.0.20
0012c000-0012d000 rwxp 00015000 03:06 664122     /usr/lib/libsasl2.so.2.0.20
0012d000-0013f000 r-xp 00000000 03:06 650204     /usr/lib/libz.so.1.2.2.2
0013f000-00140000 rwxp 00011000 03:06 650204     /usr/lib/libz.so.1.2.2.2
00140000-00142000 r-xp 00000000 03:06 644734     /usr/lib/gconv/IBM850.so
00142000-00144000 rwxp 00001000 03:06 644734     /usr/lib/gconv/IBM850.so
00144000-0014d000 r-xp 00000000 03:06 1024053    /lib/libnss_files-2.3.5.so
0014d000-0014e000 r-xp 00008000 03:06 1024053    /lib/libnss_files-2.3.5.so
0014e000-0014f000 rwxp 00009000 03:06 1024053    /lib/libnss_files-2.3.5.so
00227000-0024a000 r-xp 00000000 03:06 660226     /usr/lib/libk5crypto.so.3.0
0024a000-0024b000 rwxp 00023000 03:06 660226     /usr/lib/libk5crypto.so.3.0
0024b000-0036f000 r-xp 00000000 03:06 1024103    /lib/libc-2.3.5.so
0036f000-00371000 r-xp 00124000 03:06 1024103    /lib/libc-2.3.5.so
00371000-00373000 rwxp 00126000 03:06 1024103    /lib/libc-2.3.5.so
00373000-00375000 rwxp 00373000 00:00 0
0037b000-0037d000 r-xp 00000000 03:06 644827     /usr/lib/gconv/UTF-16.so
0037d000-0037f000 rwxp 00001000 03:06 644827     /usr/lib/gconv/UTF-16.so
00457000-00458000 r-xp 00457000 00:00 0
004b2000-00521000 r-xp 00000000 03:06 660238     /usr/lib/libkrb5.so.3.2
00521000-00524000 rwxp 0006e000 03:06 660238     /usr/lib/libkrb5.so.3.2
00587000-005bb000 r-xp 00000000 03:06 654761     /usr/lib/libldap-2.2.so.7.0.16
005bb000-005bd000 rwxp 00033000 03:06 654761     /usr/lib/libldap-2.2.so.7.0.16
00607000-0063c000 r-xp 00000000 03:06 1025680    /lib/libssl.so.0.9.7f
0063c000-0063f000 rwxp 00035000 03:06 1025680    /lib/libssl.so.0.9.7f
006fc000-0070b000 r-xp 00000000 03:06 576355     /lib/libresolv-2.3.5.so
0070b000-0070c000 r-xp 0000e000 03:06 576355     /lib/libresolv-2.3.5.so
0070c000-0070d000 rwxp 0000f000 03:06 576355     /lib/libresolv-2.3.5.so
0070d000-0070f000 rwxp 0070d000 00:00 0
00738000-0073c000 r-xp 00000000 03:06 1024050    /lib/libnss_dns-2.3.5.so
0073c000-0073d000 r-xp 00003000 03:06 1024050    /lib/libnss_dns-2.3.5.so
0073d000-0073e000 rwxp 00004000 03:06 1024050    /lib/libnss_dns-2.3.5.so
0080d000-00812000 r-xp 00000000 03:06 576366     /lib/libcrypt-2.3.5.so
00812000-00813000 r-xp 00004000 03:06 576366     /lib/libcrypt-2.3.5.so
00813000-00814000 rwxp 00005000 03:06 576366     /lib/libcrypt-2.3.5.so
00814000-0083b000 rwxp 00814000 00:00 0
008be000-008d0000 r-xp 00000000 03:06 576360     /lib/libnsl-2.3.5.so
008d0000-008d1000 r-xp 00011000 03:06 576360     /lib/libnsl-2.3.5.so
008d1000-008d2000 rwxp 00012000 03:06 576360     /lib/libnsl-2.3.5.so
008d2000-008d4000 rwxp 008d2000 00:00 0
008d4000-009cc000 r-xp 00000000 03:06 1025679    /lib/libcrypto.so.0.9.7f
009cc000-009de000 rwxp 000f8000 03:06 1025679    /lib/libcrypto.so.0.9.7f
009de000-009e1000 rwxp 009de000 00:00 0
009ea000-00a01000 r-xp 00000000 03:06 660467     /usr/lib/libgssapi_krb5.so.2.2
00a01000-00a02000 rwxp 00017000 03:06 660467     /usr/lib/libgssapi_krb5.so.2.2
00a3f000-00a59000 r-xp 00000000 03:06 1024101    /lib/ld-2.3.5.so
00a59000-00a5a000 r-xp 00019000 03:06 1024101    /lib/ld-2.3.5.so
00a5a000-00a5b000 rwAborted

The part of the dump referring to: "Client not found in Kerberos database" is repeated about 30 times before the rest of it happens.

And finally, here's the actual error in my /var/log/messages:

Code:

Aug 16 16:23:16 [HOSTNAME] pam_winbind[2464]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER
Aug 16 16:23:16 [HOSTNAME] login(pam_unix)[2464]: authentication failure; logname= uid=0 euid=0 tty=tty2 ruser= rhost=  user=[USERNAME]

Wow, that's a doozy, thanks for any help you can provide, I will keep fighting it.

Mike.

mikeyt_333 · 08-16-2005, 06:23 PM

I just found this in my /var/log/samba/winbindd.log:

Code:

[2005/08/16 17:19:51, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
  Authentication for domain [LOCALHOST] (local domain to this server) not supported at this stage

where [LOCALHOST] refers to my machines hostname, shouldn't that be the domain I'm trying to authenticate to?

And, when I do: getent passwd I can grep for my domain user:

Code:

[root@[HOST] samba]# getent passwd | grep [USERNAME]
[DOMAIN]\[USERNAME]:*:16780718:16777218:[USERNAME]:/home/[DOMAIN]/[USERNAME]:/bin/false

mikeyt_333 · 08-16-2005, 06:41 PM

k, some progress! When I did getent passwd I noticed that the format of each user was:

[DOMAIN]\[USERNAME]

So, I tried logging in with that format, and it worked, but I didn't have the perms to create the users directory so I'm working on that now.

mikeyt_333 · 08-16-2005, 07:35 PM

WOOHOO! I got it! When I finally for getent passwd printing the correct information, I tried logging in, and the screen simply flashed. This was because somewhere, the default user directory for new users was /home/[DOMAIN/[USERNAME]. The user didn't have permissions to create /home/[DOMAIN], so, creating it as root allowed the user permissions to create their user directory in /home/[DOMAIN]. This got me access to the console. Then, I couldn't log into X-windows. This was because my /etc/pam.d/gdm didn't reflect the same changes in /etc/pam.d/login. By making my /etc/pam.d/gdm the following:

Code:

#%PAM-1.0
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so use_first_pass
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_winbind.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

I was able to login as a Domain user! I am so stoked! Now, does anybody know of good tools for managing computers and users on the domain, primarily adding and deleting users? Thanks for your help everybody, I hope somebody finds this thread useful in the future!

aznluvsmc · 08-16-2005, 08:55 PM

Just as a note, you always have to login from the Linux machine using the DOMAIN\username format because Windows has to know which domain the user belongs to. The reason we don't do this in Windows is because it has a Domain field on the login box that specifies the domain to which we're logging in.

mikeyt_333 · 08-17-2005, 12:42 AM

gotcha. Any ideas why ntlm wouldn't function properly, and is there a way to make it so a domain user can log on when the system isn't connected to the domain? Thanks!

aznluvsmc · 08-17-2005, 07:48 PM

I can only think that you would need the Name Service Caching Daemon (nscd) running to cache previous logins if you want users to login when not connected to the domain. I haven't tested this myself as many people stated nscd should be turned off when using Samba authentication to AD. I don't remember why though

manhou · 08-26-2005, 01:03 AM

Hi,
I am very new to linux system. What i am trying to do now is to set up a server that is similar to windows server. My situation is as following:

I got eight linux machine, one installed fedora 4 (set as server) and the other seven is fedora 2 (no time to reinstall).
I got another 4-5 winXP machines.

What i want to know is, how can i setup the linux server such that all the user accounts are only created/deleted inside the server instead of creating the user account in every machines? Using samba?NIS? And after the server is setup, how can i configure the linux clients such that i can choose which domain i want to log on? Thank you for responses and hope can find help here.

Mike

mikeyt_333 · 08-26-2005, 08:25 AM

First, your best chance of getting help with an issue like this is to open a new thread, rather than posting in a thread that has a totally different focus. People will read this thread to help with the question at hand, which is what they would do if they saw a new thread with your own heading. Go here, and read through the document, it will tell you everything you need to know:

http://us3.samba.org/samba/docs/man/...ion/index.html