flatspin
(Ralf Jeckel)
December 13, 2016, 8:35am
40
Yes, AD container.
realm list:
[root@ns7test ~]# realm list
ns7.lan
type: kerberos
realm-name: NS7.LAN
domain-name: ns7.lan
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: NS7\%U
login-policy: allow-any-login
ns7.lan
type: kerberos
realm-name: NS7.LAN
domain-name: ns7.lan
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@ns7.lan
login-policy: allow-realm-logins
davidep
(Davide Principi)
December 13, 2016, 8:36am
41
Same line “includedir” in krb5.conf? Do you have the File server module too?
hucky
(kai)
December 13, 2016, 9:00am
42
not sure what you mean, sorry
davidep
(Davide Principi)
December 13, 2016, 9:02am
43
Run the following commands:
cp /etc/krb5.conf /etc/krb5.conf.orig
sed -i 's/includedir/#includedir/' /etc/krb5.conf
diff -u /etc/krb5.conf.orig /etc/krb5.conf
hucky
(kai)
December 13, 2016, 9:03am
44
— /etc/krb5.conf.orig 2016-12-13 10:02:44.247340581 +0100
+++ /etc/krb5.conf 2016-12-13 10:02:53.767187443 +0100
@@ -1,5 +1,5 @@
Configuration snippets may be placed in this directory as well
-includedir /etc/krb5.conf.d/
+#includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
1 Like
davidep
(Davide Principi)
December 13, 2016, 9:04am
45
Ok now try again the “Domain accounts” page…
hucky
(kai)
December 13, 2016, 9:05am
46
NetBIOS domain name: COMPU-MAX
ads_connect: No logon servers
ads_connect: No logon servers
Didn’t find the ldap server!
ads_connect: No logon servers
Join to domain is not valid: No logon servers
ads_connect: No logon servers
ads_connect: No logon servers
flatspin
(Ralf Jeckel)
December 13, 2016, 9:18am
47
My krb5.conf looks identical to @hucky 's.
[root@ns7test samba]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
Just a hint for Kai: if you format the copied text with this (red arrow) you get it like mine above.
Much better to read
2 Likes
hucky
(kai)
December 13, 2016, 10:32am
48
after a reboot i got this:
NetBIOS domain name: COMPU-MAX
LDAP server: 192.168.100.1
LDAP server name: nsdc-sbs.compu-max.lan
Realm: COMPU-MAX.LAN
Bind Path: dc=COMPU-MAX,dc=LAN
LDAP port: 389
Server time: Di, 13 Dez 2016 11:30:42 CET
KDC server: 192.168.100.1
Server time offset: 0
Last machine account password change: Fr, 21 Okt 2016 13:25:00 CEST
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
Join to domain is not valid: Logon failure
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
but it seems to change after a few minutes into the status that the domain is not existent.
hucky
(kai)
December 13, 2016, 10:35am
49
sql is up and ldap service is also up.
in system overview i got
hucky
(kai)
December 13, 2016, 10:54am
50
for my understanding this:
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
kerberos_kinit_password SBS$@COMPU-MAX.LAN failed: Preauthentication failed
Join to domain is not valid: Logon failure
is the main problem, but i dont get something what to do… it is a known problem then and when, also at red hat side but did not find something where a solution is written down.
davidep
(Davide Principi)
December 13, 2016, 11:04am
51
We didn’t found the origin of the problem, and I can’t reproduce it!
We could try to manually re-join the domain… First, leave it:
realm leave compu-max.lan
Some clean ups:
systemctl stop sssd
find /var/lib/sss/ -name '*.ldb' -delete
> /etc/sssd/sssd.conf
systemctl stop realmd
signal-event nethserver-dnsmasq-save
Join it again
realm join compu-max.lan
…at prompt, type the administrator password, then
signal-event nethserver-sssd-save
3 Likes
hucky
(kai)
December 13, 2016, 11:33am
52
thanks a lot, this has worked !!!
davidep
(Davide Principi)
Split this topic
December 13, 2016, 11:43am
53
pierrotto
(Peter)
December 14, 2016, 11:02pm
54
After successful migration of our F-Secure server to NethServer machine I decided to Install all updates from “Software center”. There were many of them, but all went smooth. Next thing I noticed after reboot were empty user list (create new user was working fine), broken login to SOGo, and chat. In “Domain accounts” there were errors just like @hucky reported.
@davidep solution resolved my problem. Thanks
3 Likes
davidep
(Davide Principi)
Split this topic
December 17, 2016, 11:34am
55
4 posts were merged into an existing topic: Again Problems after Updates
gerald_FS
(Gerald)
December 20, 2016, 4:45pm
56
davidep:
realm join
Hi Guys!
It’s going to tear your hair - it goes on!
Today I have the problem that my users have disappeared and the message AccountProvider_Error_1 appears, ok - no problem the guidance is yes in the forum.
Everything works so far, except for one I have changed the admin password and not recorded.
Therefore, I can not complete the command realm join domainname.
Where is this confused password stored in the system?
HELP
Thanks greetings
Gerald
davidep
(Davide Principi)
December 20, 2016, 4:51pm
57
If you’re running a local Samba DC account provider, to enable and reset administrator’s password:
systemd-run -t -M nsdc /bin/bash
samba-tool user enable administrator
samba-tool user setpassword administrator --newpassword=Nethesis,1234
And also
gerald_FS:
realm join
It supports -U
flag, to specify an alternative user with domain join rights. For instance
realm join -U admin
1 Like
davidep
(Davide Principi)
December 21, 2016, 11:20am
58
This issue seems related to this bug
NethServer Version: NS 7rc3
Module: Account provider: Samba Active Directory
cc: @davidep , @giacomo
Initial state: NS 7rc2, PDC-AD/File server (Installed packages: Account provider: Samba Active Directory, File server, MariaDB (MySQL) server, Simple bandwidth monitor, Statistics). Dedicated hardware.
Update from NS 7rc2 to NS7rc3 through Software center.
After update run the following command: signal-event nethserver-sssd-save
Reboot
( http://docs.nethserver.org/en/v7rc/release_notes.htm…
alefattorini
(Alessio Fattorini)
December 22, 2016, 4:55pm
59
@gerald_FS did you resolved with last nethserver-sssd package as @davidep suggested ?