AD Authentication problem with OpenSuse11.2

[Ennki]

---

Hi there,

I planned to use Squid on my W2k3 network, because I'm tired of ISA2k6... it's a **** factory in itself. So, I just installed a VM with OpenSuse 11.2 and joined it to my AD W2k3 domain. After correcting the clock problems, everything is running fine except a strange feature that I was not able to solve.

After a reboot, I'm not able to login with a domain account. I enter the username/password, choose the domain then it the input fields become grey for 1-2 seconds then the password field is reset and nothing happens.
The most strange part comes when you logon with the local root account. You login as root, then logoff and login with any domain account : works like a charm...

Kerberos is working fine, systemclock's correct... well, any idea please ? Tell me if you need the conf files and which ones.

Best

[gogalthorp]

You have samba setup?

[Ennki]

Hi,

Sure :

Code:

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2010-03-15
[global]
	security = ads
	netbios name = TESTSQUID1
	realm = TEST.LOCAL
	password server = testdc1.isl.local
	workgroup = TEST
	idmap uid = 500-10000000
	idmap gid = 500-10000000
	winbind separator = +
	winbind enum users = no
	winbind enum groups = nokinit
	winbind use default domain = yes
	template homedir = /home/%D/%U
	template shell = /bin/bash
	client use spnego = yes
	domain master = no
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

## Share disabled by YaST
# [netlogon]

Thank you or spending a few minutes with this

[linuxforever]

A quick response for this moment.

Normally the security settings are:
share
user
server
domain

It is domain if you have a domain controller active on your network.
Samba can also fullfill this task (the samba server).
Otherwise there is a master browser active on the network.
But samba can also do this by the OS level settings.

When you use a domain you cannot use a workgroup.
It's either one of them.
You use winbind if there is another server active than the samba server.

[HROAdmin26]

A quick response for this moment.

Normally the security settings are:
share
user
server
domain

Bad info. Set up Samba in the last 5 years? ADS = Active Directory integration using Kerberos. "Domain" = NT4-style NTLM authentication. "ADS" has been in use for *a long time.*

To the OP:

I would review the PAM settings and ensure winbind is enabled correctly - maybe change the order and move winbind up in the list. Jack up the logging in winbind and review it for domain login failures. Another guess would be that there are network settings that are not being enabled until a user logs in - such as the NIC being under the control of Network Manager. If the NIC doesn't get enabled/IP'ed until the user logs in, the machine can't contact network resources for login auth.

[linuxforever]

Thank you HROAdmin26 for your fine comment.

First, it was no bad info that I gave.
Because "normally" one would use the security settings mentioned by me.
If you have understood and mastered the server and domain settings and got them working you are on the bussiness.
In that case you can use the ads settings using kerberos and having installed that.
But that is a bit more complex as the question lets us see.
Using ads is a choice but it's not beter than server or domain.

But true, samba is complex and even some folks don't even get the user settings working.
You have to understand what the master browser is and a domain controller and a primary domain controller.
All these settings you have to do correctly in the samba settings.

And for the rest, I'm only trying to help someone (or others).

[HROAdmin26]

Using ads is a choice but it's not beter than server or domain.

ADS would be the recommended method (from the Samba Dev's) since the advent of Active Directory (Win2000) and its inclusion in Samba. Using "security = server" is NOT recommended by Samba. In a Samba Dev's words it is an "ugly man-in-the-middle hack...that should not be used any longer."

If you have an AD environment where legacy, insecure Windows systems are not allowed to connect, NT4-style authentication will be denied. This will not allow security = domain.

You have to understand what the master browser is and a domain controller and a primary domain controller.

While AD has a FSMO role called "PDC Emulator," there is no primary DC in an AD environment. This is important, since AD has been in use since the introduction of Windows 2000. This is not new - while security = ADS started out rocky, it has been in majority use for many years.

For my own .02, I will take "solid, fact-based information" over "good intentions" that cause misunderstanding/more problems every day of the week and twice on Sunday.