Quest of SUSE 10 with Server2k8 AD authentication

Danie Wessels Danie.Wessels at pbmr.co.za
Mon Feb 17 01:58:39 MST 2014 

Hi Steve

Sorry for the noise below. It seems that the join issue was a non-issue. maybe, maybe not.
->   - IF security = ads
-> > net ads join will join the computer to the domain and register its name in DNS.
> Hence the DNS server must be able to work out the name of the computer _before_ you issue the command. Hence:
> >> >> If it is not then the DC does not know the fqdn of the VM.

-> And to remove it altogether 
->   net ads leave -U"someadmin"%"passwd" {from the machine} 

> Do I need to be a Domain Controller (as machine 1) to authenticate AD users on local machine 1 for login?
> (Here I suppose I have to assign manually the AD users to the local Linux login group.
>  This will not be an issue because I think this is what had happened.)


>> It seems once again here that the AD/DNS setup is faulty (not stable).
> No, I don't think so. net is quite correctly throwing up the DNS error upon joining.. I can't keep repeating how to fix that;)

Are you miss understanding my meaning here? Sorry. See below. I have no problem of the working of either system in general but with our configuration / implementation at this place.

>  - I have asked the AD admin to fix recurring static IPs for the old machine 1 and 2 with same names as their VMs
>   (we only had old physical machine 2 on last Thursday for a while)

> Just remove the machines, make sure that AD knows their fqdn and then rejoin them.
>  If they're static IP's, the name will be registered once upon the join and you can then forget about it forever.
>  Unless you enable dynamic updates on a Linux box it will never send IP update requests. That's just great for a server or a DC.
On Thursday:
It seems we do get dynamic updates (of statics!!) into the DNS. I now suspect vSphere, First suspected faulty DNS/AD config, then possible cron script somewhere.

Friday:
He claims that AD and DNS is working correctly and as it is supposed to work. - But when the VM for 2 (and 1) is running I now have a cron script to register their IPs every 5 minutes - or else the DNS gets a request / update to revert their IPs to that of the old physical machine's. !!!
 - And of course if I am unaware of that I keep running around in circles for hours :o) 
I still have to figure that one out!

Connecting the physical machine 2 with VM machine 1 ... logins worked again!! Now I am stumped. I don't know what is going on.

On machine 1 we have a loginusers group list (gid: 10436) which seems to have added to it (manually I suppose) the sublist of AD users which are allowed to login to both
(or either) machine 1 or machine 2 with the same home folder each (from an nfs shared mount on machine 1 as the home folder for machine 2).

from smb.conf
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s/bin/false %m$
        domain logons = No
        domain master = No
        passdb backend = smbpasswd
        security = ADS
        wins support = No
        netbios name = {machine 1}
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = {domainname}
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare max shares = 100
        winbind offline logon = yes
        winbind refresh tickets = yes
        winbind separator = /
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        restrict anonymous = 2
        disable netbios = no
        dos charset = ASCII
        unix charset = UTF8
        display charset = UTF8
        client use spnego = yes
        client ntlmv2 auth = yes
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

wesselsdan@{machine 1}:~> sudo wbinfo -i wesselsdan
wesselsdan:*:10007:10000:Danie Wessels:/home/{Subdomain}/wesselsdan:/bin/bash

wesselsdan@{machine 1}:~> sudo wbinfo -i enguser1
root's password:
Could not get info for user enguser1

What I need to know:
====================
- *How to add (the proper/simple way) new users (like a user called enguser1) to this list (loginusers group on machine 1).* (This is a sublist of the AD users)
  - for interest sake. How does this authentication propagate to machine 2?
  I am at a loss to where I should add guid (or rids .. haha) or whatever.
  - I tried to just append enguser1 to the list in /etc/group. No luck.
- What information would you need to debug this setup?

Then the next step for me is to switch back to the VM for machine 2 and still have it working.

>>  - This is causing that a mount share for machine 2 on 1 is not available for 2.
> You're almost certainly correct.

> > HTH
> > Steve
>> Every bit of the picture makes it clearer!
>> Thanks

> Good luck.
> Steve
It helped! - the good luck wish. Thanks

> Danie W

The perusal, use, dissemination, copying or storing of this message or its attachments and the opening of attachments is subject to PBMR's standard email disclaimer available at internet address: http://www.pbmr.com/index.asp?Content=233 - Disclaimer or on request from the sender.

More information about the samba-technical mailing list