| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-18-2010, 09:02 AM
|
#1
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Rep: 
|
Windows Active Directory and Ubuntu - LDAP
Hello,
I have a question. I tried for 2x6 hours (2 days) to fix this problem and searched all over the internet.
I have a WIN2003 Server as a primary domaincontroller: DOMEIN.NET
The IP address is 192.168.1.2
FQDN: win2003.domein.net
Username: Administrator
Password: P@ssword
and I have a UBUNTU machine.
IP address is 192.168.1.3
FQDN: ubuntus2.domein.net
Username: ubuntu
Password: P@ssword
Root username: root
Password: P@ssword
UBUNTUS2 is connected to the domainname DOMEIN.NET with use of LIKEWISE-OPEN.
Now I want to use SAMBA with WINBIND (of course IF this is possible).
I want to use SAMBA for FILE/PRINTER SHARING and to logon UBUNTU with WIN2003 ADS users. This does work with LIKEWISE, but I want to use SAMBA.
I am using webmin to configure different options, this is to make it simple for myself, because my knowledge of UBUNTU is basic, and really need some GUI interfaces.
When I try to bind my UBUNTU machine to the domain with the use of WINBIND i get the following error:
Quote:
Unable to find a suitable server for domain DOMEIN.NET
Unable to find a suitable server for domain DOMEIN.NET
|
This is my smb.conf file:
Quote:
[global]
idmap gid = 10000-20000
idmap uid = 10000-20000
invalid users = root
password server = win2003.domein.net
wins server = 192.168.1.2
workgroup = domein.net
security = ADS
debuglevel = 2
wins support = no
# Winbind settings
# For testing
# A shared folder for testing purposes
[SharedFolder]
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777
|
I believe there is no use of KERBEROS, but I am not sure..
What am I doing wrong here? Can anyone help me out please? Thank you !
Last edited by umiyz; 12-13-2010 at 01:04 PM.
|
|
|
|
|
11-19-2010, 08:32 PM
|
#2
|
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep: 
|
Actually, when you want to join Linux machine to Windows domain, it uses Kerberos authentication. Show me your /etc/krb5.conf and I will tell you where the problem is.
P.S. I suppose you have your /etc/hosts and /etc/resolv configured properly?
Last edited by LMW; 11-19-2010 at 09:35 PM.
|
|
|
|
|
11-21-2010, 02:10 PM
|
#3
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by LMW
Actually, when you want to join Linux machine to Windows domain, it uses Kerberos authentication. Show me your /etc/krb5.conf and I will tell you where the problem is.
P.S. I suppose you have your /etc/hosts and /etc/resolv configured properly?
|
Hello, thisi is my krb5.conf file.
PHP Code:
[libdefaults]
default_realm = DOMEIN.NET
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
DOMEIN.NET = {
auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/
auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/
auth_to_local = DEFAULT
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.domein.net = DOMEIN.NET
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
mappings = DOMEIN\\(.*) $1@DOMEIN.NET
forwardable = true
validate = true
}
httpd = {
mappings = DOMEIN\\(.*) $1@DOMEIN.NET
reverse_mappings = (.*)@DOMEIN\.NET DOMEIN\$1
}
This is my hosts
PHP Code:
127.0.0.1 localhost
127.0.1.1 ubuntus2.domein.net ubuntus2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
And this is my resolv
PHP Code:
# Generated by NetworkManager
nameserver 192.168.1.2
Any idea? thank you !!!! |
|
|
|
|
11-21-2010, 07:08 PM
|
#4
|
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
Quote:
Originally Posted by umiyz
Hello, thisi is my krb5.conf file.
PHP Code:
[libdefaults]
default_realm = DOMEIN.NET
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
DOMEIN.NET = {
auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/
auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/
auth_to_local = DEFAULT
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.domein.net = DOMEIN.NET
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
mappings = DOMEIN\\(.*) $1@DOMEIN.NET
forwardable = true
validate = true
}
httpd = {
mappings = DOMEIN\\(.*) $1@DOMEIN.NET
reverse_mappings = (.*)@DOMEIN\.NET DOMEIN\$1
}
This is my hosts
PHP Code:
127.0.0.1 localhost
127.0.1.1 ubuntus2.domein.net ubuntus2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
And this is my resolv
PHP Code:
# Generated by NetworkManager
nameserver 192.168.1.2
Any idea? thank you !!!! |
Here's your krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMEIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMEIN.NET = {
kdc = win2003.domein.net:88
admin_server = win2003.domein.net:749
default_domain = DOMEIN.NET
}
[domain_realm]
.domein.net = DOMEIN.NET
domein.net = DOMEIN.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
try_first_pass = true
}
And your hosts file should look like that:
127.0.0.1 localhost
127.0.1.1 ubuntus2.domein.net ubuntus2
192.168.1.2 win2003.domein.net win2003
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
This should help. Report the result, please. |
|
|
|
|
11-21-2010, 07:46 PM
|
#5
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Original Poster
Rep:
|
Hello, I made the necessary changes, but I still have the same result:
Quote:
Binding to domain with command /usr/bin/net join -U Administrator ..
Unable to find a suitable server for domain DOMEIN.NET
Unable to find a suitable server for domain DOMEIN.NET
|
Do I need to make several changes to Windows 2003 Server aswell?
UPDATE **
I tried this now and get the following:
net rpc getsid -S DOMEIN.NET -I 192.168.1.2 -U Administrator%P@ssword
Quote:
Could not connect to server DOMEIN.NET
Connection failed: NT_STATUS_ACCESS_DENIED
|
Still an error, but I can see that no access is granted..
Only problem is, I don't know to where..
Last edited by umiyz; 11-21-2010 at 08:06 PM.
|
|
|
|
|
11-21-2010, 08:07 PM
|
#6
|
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
Quote:
Originally Posted by umiyz
Hello, I made the necessary changes, but I still have the same result:
Do I need to make several changes to Windows 2003 Server aswell? |
Make smb.conf look like that, then restart winbind and samba services.
[global]
idmap gid = 10000-20000
idmap uid = 10000-20000
password server = 192.168.1.2
workgroup = DOMEIN
realm = DOMEIN.NET
encrypt passwords = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
security = ADS
debuglevel = 2
wins support = no
# Winbind settings
# For testing
# A shared folder for testing purposes
[SharedFolder]
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777
Then try "net ads join -U Administrator" (without quotes, of course =) )
Last edited by LMW; 11-21-2010 at 08:08 PM.
|
|
|
|
|
11-21-2010, 08:29 PM
|
#7
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Original Poster
Rep:
|
I think you fixed it now !
Quote:
root@ubuntus2:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMEIN
Joined 'UBUNTUS2' to realm 'domein.net'
|
Thank you very much.. !!!!!!!!!!
Well I am joined now, do I still require likewise-open ?
Because without it, I cannot logon Ubuntu with a ADS username..
Last edited by umiyz; 11-21-2010 at 08:36 PM.
|
|
|
|
|
11-21-2010, 08:46 PM
|
#8
|
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
Quote:
Originally Posted by umiyz
I think you fixed it now !
Thank you very much.. !!!!!!!!!!
Well I am joined now, do I still require likewise-open ?
Because without it, I cannot logon Ubuntu with a ADS username..
|
No, you don't need likewise-open. Moreover, you didn't need it earlier. Samba did it all.
Here's a good Samba + AD HOWTO
Enjoy! |
|
|
|
|
11-28-2010, 03:16 PM
|
#9
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Original Poster
Rep:
|
Hello, I have another question..
How can I install my Ubuntu as a secondary domaincontroller?
Do I need LDAP for this? And how can I do this?
Thankyou !
|
|
|
|
|
11-28-2010, 11:24 PM
|
#10
|
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
|
|
|
|
|
11-29-2010, 12:41 AM
|
#11
|
|
Senior Member
Registered: Apr 2008
Location: Gurgaon, India
Distribution: Cent OS 6/7
Posts: 4,638
Rep: 
|
According to the above link given:
Quote:
Active Directory Domain Control
As of the release of MS Windows 2000 and Active Directory, this information is now stored in a directory that can be replicated and for which partial or full administrative control can be delegated. Samba-3 is not able to be a domain controller within an Active Directory tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot act as a BDC to an Active Directory domain controller.
|
|
|
|
|
|
11-29-2010, 01:58 AM
|
#12
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by LMW
|
Yes, I did google for a quite time (since my last post).
However it seems it does not fix my problem.
Samba is more diffferent then LDAP I guess?
Thanks anyways... I am still looking for an answer.. It is frustating |
|
|
|
|
11-29-2010, 03:09 AM
|
#13
|
|
Senior Member
Registered: Apr 2008
Location: Gurgaon, India
Distribution: Cent OS 6/7
Posts: 4,638
Rep:
|
Quote:
Originally Posted by umiyz
Yes, I did google for a quite time (since my last post).
However it seems it does not fix my problem.
Samba is more diffferent then LDAP I guess?
Thanks anyways... I am still looking for an answer.. It is frustating
|
I do not understand what you mean to say Samba is more different than LDAP?
Yes it is. Samba is typically used to share files and folders with windows. Or for windows networking.
Please go through this link to know what is LDAP. |
|
|
|
|
12-13-2010, 01:03 PM
|
#14
|
|
LQ Newbie
Registered: Mar 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by linuxlover.chaitanya
I do not understand what you mean to say Samba is more different than LDAP?
Yes it is. Samba is typically used to share files and folders with windows. Or for windows networking.
Please go through this link to know what is LDAP. |
Well I want to following:
I want my Active Directory users able to logon Ubuntu server.
Also I want to share folders with my ubuntu machine to the desired Active Directory users.
It seems I need LDAP for this.
Before I can use LDAP, I needed to make my ubuntu machine a memberserver first, which is now.
I tried to google for this, also a reason why my post took such a long time. But I couldn't find any usefull information. There is information, but it is all outdated...
I hope any one you can help me with this problem.
I really need LDAP fixing.
Thank you ! |
|
|
|
All times are GMT -5. The time now is 01:15 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
