LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-23-2017, 01:38 PM   #1
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Rep: Reputation: Disabled
Need help in joining Centos to AD with winbind


Hello,

I am trying to join Centos 7.3 Linux to Microsoft AD through winbind and while learning, I am failing to do so. I can not use sssd because authentication needs to talk cross forest, which sssd doesn't support. That is reason winbind seems only option for us.
If anybody used similar kind of setup, I would seek help. Here are its configurations
Code:
[root@lab-serv15 etc]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = {IOT.AD.SEADOC.COM}
 dns_lookup_kdc = true
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
IOT.AD.SEADOC.COM = {
kdc = wpsd-dc01.iot.ad.SEADOC.com
kdc = wpsd-dc02.iot.ad.SEADOC.com
admin_server = wpsd-dc01.iot.ad.SEADOC.com
default_domain = IOT.AD.SEADOC.COM
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 {iot.ad.SEADOC.com} = {IOT.AD.SEADOC.COM}
 .{iot.ad.SEADOC.com} = {IOT.AD.SEADOC.COM}
[root@lab-serv15 etc]#


[root@lab-serv15 etc]# kinit
kinit: Cannot find KDC for realm "{IOT.AD.SEADOC.COM}" while getting initial credentials
[root@lab-serv15 etc]#
[root@lab-serv15 etc]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
[root@lab-serv15 etc]#
[root@lab-serv15 etc]# klist -e
klist: Credentials cache keyring 'persistent:0:0' not found
[root@lab-serv15 etc]# cat /var/log/samba/log.winbindd
[2017/06/23 10:46:15.630100,  0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2017/06/23 10:46:15.642199,  0] ../source3/winbindd/winbindd_util.c:869(init_domain_list)
  Could not fetch our SID - did we join?
[2017/06/23 10:46:15.642228,  0] ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
  unable to initialize domain list
[2017/06/23 10:47:02.212209,  0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2017/06/23 10:47:02.216127,  0] ../source3/winbindd/winbindd_util.c:869(init_domain_list)
  Could not fetch our SID - did we join?
[2017/06/23 10:47:02.216155,  0] ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
  unable to initialize domain list
[root@lab-serv15 etc]#
 
Old 06-23-2017, 02:28 PM   #2
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
Can you post your /etc/resolv.conf and /etc/hosts files?
 
Old 06-23-2017, 02:59 PM   #3
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by AwesomeMachine View Post
Can you post your /etc/resolv.conf and /etc/hosts files?
Code:
[root@lab-serv15 etc]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.243.22          wksi-tools1-prod.seadoc.com
192.168.243.4           iot.ad.seadoc.com
[root@lab-serv15 etc]#
[root@lab-serv15 etc]# cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search iot.ad.seadoc.com
nameserver 192.168.243.3
nameserver 192.168.243.4
[root@lab-serv15 etc]#
 
Old 06-23-2017, 09:13 PM   #4
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
Quote:
Could not fetch our SID - did we join?

Usually the SID creation is done by samba_setup. You can run command
Code:
$ smbpasswd -j -p
to create the SID.


Shamelessly stolen from: https://community.hpe.com/t5/System-...g/td-p/5076028
 
Old 06-23-2017, 09:42 PM   #5
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by AwesomeMachine View Post
Usually the SID creation is done by samba_setup. You can run command
Code:
$ smbpasswd -j -p
to create the SID.
It fails, seems like I am missing some configuration. admin_user have authority to join domain and password is also working well, as I confirmed from AD guys.
Code:
[root@lab-serv15 ~]# smbpasswd -j -p
See 'net join' for this functionality
[root@lab-serv15 ~]# net join ADS -w iot.ad.seadoc.com -U admin_user@ad.seadoc.com
Enter admin_user@ad.seadoc.com's password:
Failed to join domain: failed to find DC for domain {IOT.AD.SEADOC.COM}
[root@lab-serv15 ~]#
 
Old 06-23-2017, 09:47 PM   #6
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
OK, you need an admin user credentials on the AD server, and then you can run samba setup. Samba setup usually takes care of all that little stuff.
 
Old 06-23-2017, 09:55 PM   #7
abhisheks77
Member
 
Registered: Apr 2014
Posts: 63

Original Poster
Rep: Reputation: Disabled
admin_user is already have access to join domain. I am able to join Window server on domain with same user.
And /etc/samba/smb.conf seems to have necessary configuration.
Code:
[root@lab-serv15 ~]# cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
#--authconfig--start-line--

# Generated by authconfig on 2017/06/23 10:46:15
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = {IOT.AD.SEADOC.COM}
   realm = {IOT.AD.SEADOC.COM}
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/{iot.seadoc.com}/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
;       workgroup = SAMBA
;       security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = root
        create mask = 0664
        directory mask = 0775
[root@lab-serv15 ~]#
 
Old 06-24-2017, 11:22 PM   #8
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
See the link I posted above. It has an interesting discussion thread.
 
  


Reply

Tags
linux, winbind


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help configure winbind on CentOS 7 vojd Linux - Server 0 06-02-2016 10:45 PM
Joining CENTOS with active directory yunushaikh Linux - Newbie 2 12-30-2015 10:07 AM
Script for joining RH/CentOS to AD domain watcher69b Linux - Server 2 03-24-2015 07:47 PM
Can't log in to CentOS 6.3 PDC after joining domain. torlor Linux - Newbie 3 03-08-2014 01:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration