LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 12-15-2008, 01:09 PM   #1
stioanid
Member
 
Registered: Dec 2008
Location: Athens
Distribution: Centos Ubundu RedHat
Posts: 38

Rep: Reputation: 15
authenticating Centos 5.2 client through AD


I have used winbind with kerberos and samba to connect to an AD server
All though I seem to be able to get a ticket ( kinit works) when I run

net ads join -U stavros.ioannidis@DIONIC.COM.GR

I get the following error:
Ignoring unknown parameter "winbind seperator"
Enter stavros.ioannidis@DIONIC.COM.GR's password:
[2008/12/15 19:48:16, 0] passdb/secrets.c:secrets_init(71)
Failed to open /var/lib/samba/secrets.tdb
Failed to join domain: Unable to open secrets database
ANY IDEAS WHY THIS IS HAPPENING.

I am displaying my configuration files

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 36000
default_realm = DIONIC.COM.GR
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DIONIC.COM.GR = {
kdc = DC1.DIONIC.COM.GR
kdc = DC2.DIONIC.COM.GR
admin_server = DC1.DIONIC.COM.GR
default_domain = DIONIC.COM.GR
}
[domain_realm]

.dionic.com.gr = DIONIC.COM.GR
dionic.com.gr = DIONIC.COM.GR



/etc/samba/smb.conf

[global]
security = ads
netbiosname = STARGATE
realm = DIONIC.COM.GR.nl
password server = DC1.DIONIC.COM.GR
workgroup = DIONIC.COM.GR
idmap uid = 500-100000
idmap gid = 500-100000
winbind seperator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
idmap uid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

/etc/ldpa.conf
host 127.0.0.1
base dc=dionic,dc=com,dc=gr
uri ldaps://dc1.dionic.com.gr/
ldap_version 3
binddn cn=stavros_ioannidis,dc=dionic,dc=com,dc=gr
bindpw
rootbinddn cn=stavros.ioannidis,dc=dionic,dc=com,dc=gr
scope sub
pam_password md5
nss_base_passwd dc=dionic,dc=com,dc=gr?sub
nss_base_shadow dc=dionic,dc=com,dc=gr?sub
nss_base_group dc=dionic,dc=com,dc=gr
&(objectCategory=group) (gidnumber=*)
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
 
Old 12-16-2008, 10:03 PM   #2
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 44
try
net ads join -U DIONIC+stavros.ioannidis

Are samba(smb) running and winbind running?

Last edited by ncsuapex; 12-16-2008 at 10:12 PM. Reason: ..
 
Old 12-17-2008, 03:14 AM   #3
stioanid
Member
 
Registered: Dec 2008
Location: Athens
Distribution: Centos Ubundu RedHat
Posts: 38

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ncsuapex View Post
try
net ads join -U DIONIC+stavros.ioannidis

Are samba(smb) running and winbind running?

It still gives me the same errors.

net ads join -U DIONIC+stavros.ioannidis
Enter DIONIC+stavros.ioannidis's password:
[2008/12/17 10:06:50, 0] passdb/secrets.c:secrets_init(71)
Failed to open /var/lib/samba/secrets.tdb
Failed to join domain: Unable to open secrets database

By the way is slapd suppose to run because I can't get it start it.
etc/init.d/slapd start
No configuration directory was found for slapd at /etc/ldap/slapd.d/.
If you have moved the slapd configuration directory please modify
/etc/default/slapd to reflect this. If you chose to not
configure slapd during installation then you need to do so
prior to attempting to start slapd.
Could it be because AD isn't configured to accept anonymous Bind operations?

Samba and winbind are running
 
Old 12-17-2008, 11:00 AM   #4
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 44
sorry was really tired when I read your post..Not sure why you dont have a secrets file. But stop samba/winbind. Restart samba try to join the domain then start winbind.


you should have a secrets.tdb try a search for it.

find /var -name secrets.tdb

Im running CentOS 5.1 and my secrets.tdb is here;

find /var -name secrets.tdb
/var/lib/samba/private/secrets.tdb



I dont have slapd running on my linux box as we are using ldap on the AD server.
 
Old 12-18-2008, 03:37 AM   #5
stioanid
Member
 
Registered: Dec 2008
Location: Athens
Distribution: Centos Ubundu RedHat
Posts: 38

Original Poster
Rep: Reputation: 15
authenticating Centos 5.2 through AD

Quote:
Originally Posted by ncsuapex View Post
sorry was really tired when I read your post..Not sure why you dont have a secrets file. But stop samba/winbind. Restart samba try to join the domain then start winbind.


you should have a secrets.tdb try a search for it.

find /var -name secrets.tdb

Im running CentOS 5.1 and my secrets.tdb is here;

find /var -name secrets.tdb
/var/lib/samba/private/secrets.tdb



I dont have slapd running on my linux box as we are using ldap on the AD server.

Ok I did what you used. First I stoped usind slapd and I am using ldap on the AD side.
Started only samba and it did find the secrets tdb but didn't join because winbind wasn't on.

$ sudo net ads join -U DIONIC+stavros.ioannidis
Enter DIONIC+stavros.ioannidis's password:
Failed to join domain: failed to lookup DC info for domain 'DIONIC.COM.GR' over rpc: Logon failure

started winbind and I run same command

stavros@stavros-laptop:~$ sudo net ads join -U DIONIC+stavros.ioannidis
Enter DIONIC+stavros.ioannidis's password:
Failed to join domain: failed to lookup DC info for domain 'DIONIC.COM.GR' over rpc: Logon failure

but when I run

stavros@stavros-laptop:~$ sudo net adds join stavros.ioannidis@DIONIC.COM.GR
Enter stavros.ioannidis@DIONIC.COM.GR's password:
Failed to join domain: Invalid configuration and configuration modification was not requested

when i run
wbinfo -p
Ping to winbindd failed
could not ping winbindd!
That was because winbind isn't running . If I try to start it it won't start and if i tail -f /var/log/samba/log.winbindd i get the following message:

[2008/12/18 16:19:50, 0] winbindd/winbindd.c:main(1126)
winbindd version 3.2.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
[2008/12/18 16:19:50, 0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2353)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2008/12/18 16:19:50, 0] winbindd/winbindd_util.c:init_domain_list(719)
Could not fetch our SID - did we join?
[2008/12/18 16:19:50, 0] winbindd/winbindd.c:main(1268)
unable to initialize domain list

I did stopped apparmor from running because I thought it might interfering with winbind but still winbind won't start.
As well when I run
sudo net rpc getsid
it gives me the message "Unable to find a suitable server". I did check portmap and it is running
As well I tried to change my range in smd.conf from 500-10000 to 10000-20000 but still nothing changed.
My main effort is basically to have all my accounts mantained centrally through AD so I don't have to retain different authentication methods for linux and windows.
By the way when I try to login to my laptop through AD I can't. Of course I have changed my /etc/nsswitch.conf

passwd: compat winbind files
group: copmpat winbind files
shadow: compat files
hosts: files dns wins mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files


As well thank you very much for your support so far.

Last edited by stioanid; 12-18-2008 at 10:23 AM.
 
Old 12-18-2008, 10:12 AM   #6
ncsuapex
Member
 
Registered: Dec 2004
Location: Raleigh, NC
Distribution: CentOS 2.6.18-53.1.4.el5
Posts: 770

Rep: Reputation: 44
You're getting past my experience with samba/winbind/AD but I do know that you can join a domain without winbind running, you can't look up any users but it should still join the domain, then you can start winbind to look up users/groups/etc. Does the account you are using have the admin rights to join the domain?


my nsswitch.conf looks like this:

passwd: files winbind
shadow: files winbind
group: files winbind


hosts: files dns wins



not sure what the compat option is used for.
 
Old 02-19-2009, 02:27 AM   #7
fngreno
LQ Newbie
 
Registered: Dec 2008
Distribution: CentOS
Posts: 3

Rep: Reputation: 0
try installing Likewise - It just works

Try using the open version for AD; read the quickstart - then it works. You can download, install and join the AD domain in 15 min.

No they are not paying me, I'm just happy to not messing round with winbindd and all it's idiosyncrasies anymore.

Last edited by fngreno; 02-20-2009 at 08:07 PM. Reason: Point out the "open" version
 
Old 02-20-2009, 03:22 AM   #8
stioanid
Member
 
Registered: Dec 2008
Location: Athens
Distribution: Centos Ubundu RedHat
Posts: 38

Original Poster
Rep: Reputation: 15
authenticating Centos 5.2 through AD

Quote:
Originally Posted by fngreno View Post
try installing Likewise - It just works
Thanks for the suggestion but I did tried likewise in one of my servers with Centos running but didn't work the way I expected.
None the less I have managed to figure out, a how to for joining an ADS domain by using winbind kerberos and samba.
 
  


Reply

Tags
authenticating


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos samba server authenticating with windows LDAP server GuodMan Linux - Server 4 10-03-2008 02:56 AM
Ubuntu Samba Server Difficulties Authenticating WINXP Client carl0ski Linux - Server 0 08-09-2007 08:49 PM
Help: X on CentOS w/Windows CygwinX client mikey Linux - Server 7 01-02-2007 01:47 AM
Telnet Client / CentOS riluve Red Hat 2 10-13-2006 11:51 AM
linux client authenticating windows domain mbtoys Linux - Networking 0 08-21-2003 09:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration