Active Directory Intergration (Like in SUSE)!

[mkisow]

- HELP!

I am using Debian / Lenny and I want to be able to login to my AD domain like you can in SUSE, how is this accomplished? I have followed these following threads:

integrating debian lenny into Active Directory W2k3 Server Awayand’s Blog

and

Can Linux Desktops Live in an Active Directory World? Reverend Ted’s Blog

WITHOUT using SUSE how can I accomplish the same effect?

[jledhead]

you say you followed those docs, what happened? any errors?

I have a script in my co that I have customized for the computers in my network and it works for etch and lenny and ubuntu. I can offer up this script but the first link you posted above looks like a good one. I am not at work now but can respond in the morning if you want to see my configs.

[mkisow]

Finally got it yo work, however when a new user logs in I get gconf errors out the wazoo, I know it has something to do w/ security but I don't know what, any thoughts? If this is too vague let me know, when I get to the office on Monday I will cut/ paste the errors so you can read them.

ALSO if anybody is interested I can zip and post a script I wrote to join a domain, fun stuff, it may need tweaked though because of this current error w/ gconf.

[jledhead]

yeah, I would say hold off posting a script if you are getting errors

if you could post the errors that would be great.

[jledhead]

I have attached my scripts. for me, I put these files on an internal webhost and then wget it and run it. the kerb.txt file should be renamed to kerb.sh and the 2 other files should have the .txt extension removed. I make plenty of backups in my scripts (I like backups) but test for yourself before putting this on anything live. Obviously you will need to make adjustments because I have omitted my actual DC servers and domain name, but other than that its exactly what I use on a new machine to auth it for AD auth. and fyi, if you install something that uses PAM after running this script, the PAM file will probably need to be updated (like ssh or webmin) to use AD auth. and of course give yourself sudo if you need that. in my samba config I am also creating a c$ share, because I like to be able to browse to c$

the only problem I have had with this and haven't had time to script this fix, is that samba and winbind need to be started and in a particular order for it to work properly. So if this doesn't work immediatly then you need to

Code:

/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

and all should be good.

The way I fix that is to remove the init scripts for samba and winbind

Code:

update-rcd -f remove winbind
update-rcd -f remove samba

and I then create my own init script that starts samba first and then starts winbind. it doesn't seem to work properly if winbind is started first.

after lots of trial and error and trying other methods, this is the best I have come across. and I can't take credit for the steps because I pieced most of it together from 2 or 3 sources (can't remember now), but I automated it and scripted it myself.

I have so far never shown this to anyone outside of my co so I would really appreciate comments.

Thanks.

[mkisow]

When I loginto gnome, I get desktop errors out the wazoo, it's almost like a permissions issue. The errors are all the same thing, which is :

Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gmome.org/projects/gconf/ for more information. (Details - 1: | OR file '/tmp/gconfd-<username>/lock/ior' not opened successfully, no gconf located: Premission denied 2: |OR file file '/tmp/gconfd-<username>/lock/ior' not opened successfully, no gconf located: Permission Denied)

This is what I get everytime I logon w/ a domain user, I am able to operate okay when I logon as root, I haven't yet but will soon create another local user and see if I get the same eooro, if I don't I know I have a permissions issue.

[mkisow]

I TESTED WITH A LOCAL USER CALLED "TEST" (HOW ORIGINAL) AND IT WORKS OKAY. i HAVE ATTACHED SOME FILES (Ohh, sorry caps...) please see below...


/etc/pam.d/common-account
account sufficient pam_winbind.so
account required pam_unix.so

/etc/pam.d/common-auth
auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so

/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=50 md5

THIS MIGHT BE MY PROBLEM...
/etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

[mkisow]

Okay, something I received from JLEDHEAD worked, I modded my configs to include what I didn't have from what he posted ans it works... Once I clean my configs I will post them. I will test this against another machine to make sure it's not a fluke and post them once I know there clean. Thanks to all!

[mkisow]

By default when a new domain user logs onto the linux workstation from a domain account how can I assign the following local groups to that user? For example I want /etc/groups to be updated with either Domain Users or their user name upon login.

HTML Code:

/etc/group
dialout:x:20:mkisow
cdrom:x:24:mkisow
floppy:x:25:mkisow
audio:x:29:mkisow
video:x:44:mkisow
plugdev:x:46:mkisow
netdev:x:111:mkisow
powerdev:x:114:mkisow

Can I put "DOM\Domain Users" in these groups? For example like this:

HTML Code:

dialout:x:20:"DOM\Domain Users"
cdrom:x:24:"DOM\Domain Users"
floppy:x:25:"DOM\Domain Users"
audio:x:29:"DOM\Domain Users"
video:x:44:"DOM\Domain Users"
plugdev:x:46:"DOM\Domain Users"
netdev:x:111:"DOM\Domain Users"
powerdev:x:114:"DOM\Domain Users"

[jledhead]

I would think so. the only other thing I am doing is giving domain admins sudo rights, I don't add anything to the groups file. add it and see.