May 14, 2012

OpenSuse 12.01 & Ubuntu 12.04 LTS join Active Directory.

   During my work it becomes necessary to install to several users Linux on desktop. One of them wanted OpenSuse 12.01, another was a fan of Ubuntu. The latest long-term support Ubuntu is 12.04. It is not so stable right now, but I think it will be better in future. Well, first of all, I've started with OpenSuse 12.01.
    I didn't have enough time, that's why I tried to install everything from GUI.
Step 1. I installed necessary packages: krb5-client, samba-client, samba, samba-winbind, pam-krb5.
Step 2. Then I edited /etc/hosts. There I added string with IP-Domain. For example, - DOMAIN.LOCAL
Step 3. Synced my time between workstation and PDC. I did it by hands, because seconds didn't matter.
Step 4. I performed some changes in config files.
   A) My krb5.conf looked like:
   default_realm = DOMAIN.LOCAL
   renew_lifetime = 24h
   ticket_licfetime = 24h
      kdc =
      admin_server =
      default_domain = domain.local
   .domain.local = DOMAIN.LOCAL
   domain.local = DOMAIN.LOCAL
   kdc = FILE:/var/log/krb/krb5kdc.log
        admin_server = FILE:/var/log/krb/kadmin.log
        default = FILE:/var/log/krb/krb5lib.log 
B) Then I changed smb.conf

workgroup               = DOMAIN
security                = ADS
password server         =
realm                   = DOMAIN.LOCAL
netbios name            = deep
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
 I know, that there are over 9000 different ways to change configs, but this was my shortest way to join domain without hours of googling and reading tons of manuals. But without any doubt I'm going to learn more about samba and Kerberos.
Step 5. After all I was ready to try getting Kerberos ticket, typed klist and ooops:
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
 Well, often we can solve this problem by making such command as:

kinit aduser - where aduser is one of domain users
 Then I tried again and successfully got the ticket.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: drchi@DOMAIN.LOCAL
Valid starting     Expires            Service principal
05/05/12 11:16:21  05/06/12 22:10:23  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
   renew until 05/06/12 11:16:21
Kerberos 4 ticket cache: /tmp/tkt0 

Step 6. I was ready to make an attempt to join Active Directory. Typed such command:
net join -S -W DOMAIN -U drchi
Then I entered drchi password. But I got error:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
I was very disappointed. Finally I googled such interesting decision. First I leave domain:
net ads leave -U <username>
After leaving I tried again and got it.
net ads join -U <username>

Step 7. I rebooted my computer and got error that "Suse Theme doesn't supported winbind/samba login". Decision was found in one forum, it was known issue # 721782. I changed in /etc/sysconfig/displaymanager parameter DISPLAYMANAGER_KDM_THEME to empty string.
Another reboot and I joined my Active Directory.
Continue about Ubuntu will be in my next post

No comments:

Post a Comment