I finally got my Centos server to join our AD domain. I can see the users with net ads user
but can't login with any of the users in AD.
Any ideas?
Thanks,
James
Centos5 joined Active Directory, but AD users can't log in.
Re: Centos5 joined Active Directory, but AD users can't log in.
I can say I have gotten that far at least. I am able to see users log in via ssh, but for some reason when doing anything samba, I get a kerberos ticket error.
The way I got myself to the point beyond yours is by configuring the network authentication. It's a wizard process, I know, and I still have no idea how to manually make that all happen, but at least the machine can join the domain and users can (sort of) log into the machine with AD authentication. I say sort of because I haven't added the PAM stuff to create home directories on the fly.. Once I do that, I expect better things. Right now, my biggest hurdle is getting beyond this kerberos ticket thing.
The way I got myself to the point beyond yours is by configuring the network authentication. It's a wizard process, I know, and I still have no idea how to manually make that all happen, but at least the machine can join the domain and users can (sort of) log into the machine with AD authentication. I say sort of because I haven't added the PAM stuff to create home directories on the fly.. Once I do that, I expect better things. Right now, my biggest hurdle is getting beyond this kerberos ticket thing.
Re: Centos5 joined Active Directory, but AD users can't log in.
I have users logging into my 2003 AD ok.
What do you have when you run authconfig? Under "User Information" all are blank but Use Winbind. Under Authentication I have Use MD5, Use Shadow, Use Winbind, Local Auth is sufficient.
When you hit NEXT, you get Winbind Settings. I have
Security model: ads
Domain: HOME
Domain Controllers: dawn.home.domain.com
ADS realm: HOME.DOMAIN.COM
Template shell /bin/bash
You might try running
wbinfo -g ( shows groups )
wbinfo -u ( shows users )
Maybe one of them will toss an error that helps.
Here is my smb.conf from my machine, if that helps.
[global]
log level = 0
# general options
workgroup = HOME
netbios name = WILLOW
server string = File server
nt acl support = true
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
# Active directory joining
# "ads server" is only necessary if your kdc
# can't be located using /etc/krb5.conf
security = ads
realm = HOME.DOMAIN.COM
# this handles the "ads server = " directive as well
password server = dawn.home.domain.com
[RAID]
comment = RAID share
path = /data/SMB/storage
read only = no
public = yes
What do you have when you run authconfig? Under "User Information" all are blank but Use Winbind. Under Authentication I have Use MD5, Use Shadow, Use Winbind, Local Auth is sufficient.
When you hit NEXT, you get Winbind Settings. I have
Security model: ads
Domain: HOME
Domain Controllers: dawn.home.domain.com
ADS realm: HOME.DOMAIN.COM
Template shell /bin/bash
You might try running
wbinfo -g ( shows groups )
wbinfo -u ( shows users )
Maybe one of them will toss an error that helps.
Here is my smb.conf from my machine, if that helps.
[global]
log level = 0
# general options
workgroup = HOME
netbios name = WILLOW
server string = File server
nt acl support = true
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
# Active directory joining
# "ads server" is only necessary if your kdc
# can't be located using /etc/krb5.conf
security = ads
realm = HOME.DOMAIN.COM
# this handles the "ads server = " directive as well
password server = dawn.home.domain.com
[RAID]
comment = RAID share
path = /data/SMB/storage
read only = no
public = yes
Re: Centos5 joined Active Directory, but AD users can't log in.
Could it be that you need to set user/group permissions for accessing your share(s)?
Also, those pesky ACLs could also be an issue. I find that if you don't care about actual ownership of files and the like, you could set the force user = and force group = attributes on the share definition, but I definitely don't see mention of any specific user or group access permission in the share and they are certainly needed.
getfacl and setfacl are the commands used in setting the ACLs if you want to go that route.
See the guide I am attaching here to verify your checklist of settings to be sure they are all correct. I found this particular guide to be extremely useful.
(I cannot attach a PDF here...)
http://www.infosecwriters.com/text_resources/pdf/AD_and_Linux_TMunn.pdf <-- the guide is here
Also, those pesky ACLs could also be an issue. I find that if you don't care about actual ownership of files and the like, you could set the force user = and force group = attributes on the share definition, but I definitely don't see mention of any specific user or group access permission in the share and they are certainly needed.
getfacl and setfacl are the commands used in setting the ACLs if you want to go that route.
See the guide I am attaching here to verify your checklist of settings to be sure they are all correct. I found this particular guide to be extremely useful.
(I cannot attach a PDF here...)
http://www.infosecwriters.com/text_resources/pdf/AD_and_Linux_TMunn.pdf <-- the guide is here