ive got a laptop with SUSE 9.1 trying to connect to a Windows 2003 Active Directory PDC. After much effort i found a good guide at
http://lilly.csoft.net/~vdebaere/han.../index_en.html
following mainly those instructions i get all the AD users and groups with 'getent passwd' and 'getent group'. When i boot up, SUSE's logon screen shows my linux accounts and lists the windows AD accounts as well. but when i try to login with an AD account to logon to my windows PDC it thinks for a few seconds and then gives me this error "xsession: login for 'DOMAIN/USER' is disabled" then X restarts and goes back to the logon screen.

ive googled the message endlessly with no help. below are all of the configuration files i could think to put. tell me if more info is necessary. please help im completely stuck and dont know what to do. everything seems fine but i get that xsession error. i thought at first it was having trouble creating folders/files in /home/DOMAIN/USERNAME im not sure if thats the problem or if its something/anything else. any help will be greatly appreciated.

*******smb.conf*******
[global]
# Global options for Win 2003 Active Directory
realm = EROS.ORG
workgroup = EROS
password server = mazer.eros.org
security = ADS
encrypt passwords = yes
# winbind configuration: maps ADS users to uid's and gid's
winbind sepatator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash

*******krb5.conf*******
[libdefaults]
clockskew = 300
default_realm = EROS.ORG

[realms]
EROS.ORG = {
kdc = mazer.eros.org
default_domain = EROS.ORG
kpasswd_server = mazer.eros.org
}

[domain_realm]
.MAZER.EROS.ORG = EROS.ORG
# .my.domain = MY.REALM

[logging]
default = SYSLOG:NOTICEAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}

*******nsswitch.conf*******
passwd: compat winbind
shadow: compat
group: compat winbind

hosts: files dns
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files

bootparams: files
automount: files

*******resolv.conf*******
nameserver 192.168.1.3

*******samba (from pam.d)*******
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so

I think this is an x authorisation problem not a Connection problem. X is probably set up to only allow accounts on the local machine to login in to the X server.

Sorry but I don't know how you solve this problem ( never had to do this ).

anybody else?

The winbind/samba may not yet be working properly.
I could not get my SuSE 9.1/Windows Server 2003
network to communicate properly until I set

client schannel = no

in smb.conf. After I did that, all of the clients authenticated
against the ADS without any problems. You may give that a try.

I'm not sure about Windows 2003 but with Windows 2000 you need to specify the user account name as DOMAIN\username when logging in from the Linux machine. I'm not sure if you did this.

Also, did you configure /etc/pam.d/xdm to use winbind.so? I'm not really sure why you configured Samba in Pam.d.
Ensure that you add the directive
Session required pam_mkhomedir.so skel=/etc/skel umask=0022
in xdm to automatically create a home directory when the user logs in.

As a note, I've read that the Name Service Caching Daemon (nscd) should be disabled.

1st of all thanks for the ideas but unfortunately neither helped.

"Session required pam_mkhomedir.so skel=/etc/skel umask=0022"
i had seen this on another post and tried it but it changed nothing.

one thing that ive noticed that seems strange is when i login like i think i should domain\username it imediately says login failed. but if i login just my username and then give the password it thinks for a little bit and the gives me the xsession error that i posted above. i thought i would need to supply the domain name preceding the username but in the long run neither works.

any other ideas what im doing wrong?

this really sucks because its pulling in the usernames from the pdc but its just not letting me logon. i feel like im close but just one change away.

i also just turned of the nscd service but still have the same problem.

if i logon with any of my AD logons (Administrator and my logon) its thinks for a bit and gives me the xsession error. if i spell the logon wrong, dont get the logons case right, or put the domain name in front it gives me "logon failed" immediately. but if i logon correctly with only my username it seems to try to logon but gives me the error.

please please please help!

When you made the PAM change. Which file did you put it in?

Anyways, this link may help you out.

http://www.enterprisenetworkingplane...le.php/3502441

Make sure you read the article they refer to in the first link too!

i made the change in /etc/pam.d/xdm

i will look at those links tonight when im back home and post a message with any progress tonight or tomorrow morning.