Quest of SUSE 10 with Server2k8 AD authentication
Danie Wessels
Danie.Wessels at pbmr.co.za
Mon Feb 17 01:58:39 MST 2014
Hi Steve
Sorry for the noise below. It seems that the join issue was a non-issue. maybe, maybe not.
-> - IF security = ads
-> > net ads join will join the computer to the domain and register its name in DNS.
> Hence the DNS server must be able to work out the name of the computer _before_ you issue the command. Hence:
> >> >> If it is not then the DC does not know the fqdn of the VM.
-> And to remove it altogether
-> net ads leave -U"someadmin"%"passwd" {from the machine}
> Do I need to be a Domain Controller (as machine 1) to authenticate AD users on local machine 1 for login?
> (Here I suppose I have to assign manually the AD users to the local Linux login group.
> This will not be an issue because I think this is what had happened.)
>> It seems once again here that the AD/DNS setup is faulty (not stable).
> No, I don't think so. net is quite correctly throwing up the DNS error upon joining.. I can't keep repeating how to fix that;)
Are you miss understanding my meaning here? Sorry. See below. I have no problem of the working of either system in general but with our configuration / implementation at this place.
> - I have asked the AD admin to fix recurring static IPs for the old machine 1 and 2 with same names as their VMs
> (we only had old physical machine 2 on last Thursday for a while)
> Just remove the machines, make sure that AD knows their fqdn and then rejoin them.
> If they're static IP's, the name will be registered once upon the join and you can then forget about it forever.
> Unless you enable dynamic updates on a Linux box it will never send IP update requests. That's just great for a server or a DC.
On Thursday:
It seems we do get dynamic updates (of statics!!) into the DNS. I now suspect vSphere, First suspected faulty DNS/AD config, then possible cron script somewhere.
Friday:
He claims that AD and DNS is working correctly and as it is supposed to work. - But when the VM for 2 (and 1) is running I now have a cron script to register their IPs every 5 minutes - or else the DNS gets a request / update to revert their IPs to that of the old physical machine's. !!!
- And of course if I am unaware of that I keep running around in circles for hours :o)
I still have to figure that one out!
Connecting the physical machine 2 with VM machine 1 ... logins worked again!! Now I am stumped. I don't know what is going on.
On machine 1 we have a loginusers group list (gid: 10436) which seems to have added to it (manually I suppose) the sublist of AD users which are allowed to login to both
(or either) machine 1 or machine 2 with the same home folder each (from an nfs shared mount on machine 1 as the home folder for machine 2).
from smb.conf
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s/bin/false %m$
domain logons = No
domain master = No
passdb backend = smbpasswd
security = ADS
wins support = No
netbios name = {machine 1}
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = {domainname}
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = yes
winbind refresh tickets = yes
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
restrict anonymous = 2
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
client use spnego = yes
client ntlmv2 auth = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
wesselsdan@{machine 1}:~> sudo wbinfo -i wesselsdan
wesselsdan:*:10007:10000:Danie Wessels:/home/{Subdomain}/wesselsdan:/bin/bash
wesselsdan@{machine 1}:~> sudo wbinfo -i enguser1
root's password:
Could not get info for user enguser1
What I need to know:
====================
- *How to add (the proper/simple way) new users (like a user called enguser1) to this list (loginusers group on machine 1).* (This is a sublist of the AD users)
- for interest sake. How does this authentication propagate to machine 2?
I am at a loss to where I should add guid (or rids .. haha) or whatever.
- I tried to just append enguser1 to the list in /etc/group. No luck.
- What information would you need to debug this setup?
Then the next step for me is to switch back to the VM for machine 2 and still have it working.
>> - This is causing that a mount share for machine 2 on 1 is not available for 2.
> You're almost certainly correct.
> > HTH
> > Steve
>> Every bit of the picture makes it clearer!
>> Thanks
> Good luck.
> Steve
It helped! - the good luck wish. Thanks
> Danie W
The perusal, use, dissemination, copying or storing of this message or its attachments and the opening of attachments is subject to PBMR's standard email disclaimer available at internet address: http://www.pbmr.com/index.asp?Content=233 - Disclaimer or on request from the sender.
More information about the samba-technical
mailing list