LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-28-2016, 12:22 PM   #1
igp
LQ Newbie
 
Registered: Sep 2016
Posts: 4

Rep: Reputation: Disabled
Fedora - unable to login using Active Directory credentials


Hi
I have setup a Fedora machine and have bound it to Active directory using Samba, Winbind & Kerberos. Computer object exists in AD.
running kinit username@domain.com prompts for password which is accepted. klist then shows I have a ticket.
What I need to be able to do is login to the machine using an active directory user. I am sure I have missed something as I have not added domain users / admins to any groups (not sure if i need to?).
I have gnome installed and when I enter the username it prompts for the password, looks like its been accepted and then returns to the user login screen.
Bit stumped at the moment so any help would be appreciated.
Thanks in advance!
 
Old 09-30-2016, 06:09 AM   #2
Ginola
Member
 
Registered: Sep 2012
Location: London
Distribution: CentOS, RHEL, Ubuntu
Posts: 73

Rep: Reputation: Disabled
The program "realm" is your friend on this one.

Once you install realmd and configure your /etc/krb5.conf file, assuming you realm name is AD.JOSHUA.COM, run the following....

Code:
[root@wopr ~]realm discover AD.JOSHUA.COM
ad.joshua.com
  type: kerberos
  realm-name: AD.JOSHUA.COM
  domain-name: ad.joshua.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
Make sure all the required package listed above are installed. Then join the domain...

Code:
[root@wopr ~]realm join --user ginola@ad.joshua.com AD.JOSHUA.COM
The --user option can be left out, but then you'll login as ADMINSTRATOR.

You can then su in as that user to check it works.

I always tidy up /etc/sssd/sssd.conf

Code:
use_fully_qualified_names = False
fallback_homedir = /home/%u
I change the first option so the users can log directly on the box with just the username, no domain needed, and the second option makes the home directory area tidier..

HTH.

Last edited by Ginola; 09-30-2016 at 06:11 AM.
 
Old 10-04-2016, 08:35 AM   #3
igp
LQ Newbie
 
Registered: Sep 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi Ginola, thanks for the reply.
I had tried this way previously and keep being told cannot join this realm.
I have since realized the realm join command need to be entered in the correct case, upper for realm & lower for domain. I think this could be DNS related. If I add the --verbose flag the discovery times out after 15 seconds. Whats odd is it accepted it once and asked for my password. It accepted it but still error ed. Annoying thing now is I cannot get it to prompt for password again to troubleshoot the same error.
Is it just the krb5.conf file that requires configuring? Do I need to edit the smb.conf files as well?
Thanks again!
 
Old 10-12-2016, 05:32 AM   #4
Ginola
Member
 
Registered: Sep 2012
Location: London
Distribution: CentOS, RHEL, Ubuntu
Posts: 73

Rep: Reputation: Disabled
Firstly, check your /etc/resolv.conf and make sure it is hitting the AD DNS. I hang mine off the windows DHCP to inherit these values....

Code:
[root@wopr ~]$ more /etc/resolv.conf
# Generated by NetworkManager
search ad.joshua.com
nameserver 10.100.91.129
nameserver 10.100.92.129
nameserver 10.100.93.129
Secondly, make sure the clocks are in sync..

I configured samba so that the users could access their home area from windows.

Code:
[global]
	workgroup = AD
	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50
	security = ads
	passdb backend = tdbsam
	realm = AD.JOSHUA.COM
	password server = *
HTH.
 
Old 10-12-2016, 06:14 AM   #5
igp
LQ Newbie
 
Registered: Sep 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks for the reply.
I eventually got it working. It took me many attempts but tweaking the krb5.conf, smb.conf & sssd.conf got me over the line.
I am now able to login with domain credentials and editing the sssd.conf file to not require fqdn works nicely.
Realm & sssd is definitely the way to go. Now automating the deployment of the 3 files to allow an easy bind for other machines going forward.
Thanks for your help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to login in to Active Directory(Windows Domain Controller) from Linux redhat z_haseeb Red Hat 0 01-04-2014 11:44 AM
Cannot login to Active Directory account on Fedora 14 desktop slinx Linux - Desktop 12 01-19-2012 06:02 AM
SSH using Active Directory credentials fail noir911 Linux - Server 1 09-17-2009 10:35 AM
Login to Fedora With Active Directory FloydFan Linux - Networking 2 05-27-2005 09:41 PM
Login to Fedora With Active Directory FloydFan Linux - General 1 05-27-2005 11:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration