Active Directory works only with Administrator

Support
1

NethServer Version: NethServer release 7.2.1511 (rc1)

Dear All,

I was able to join my nethserver to my Domain env, but no matter what I have try I can only successfully join when I logged in as Administrator (Users- Active Directory - Join). Do I need to set a special user permission when I join to my Domain Environment ?

thank you

2

I might be wrong but is it something specific to Nethserver?
If you look at (ā€œnativeā€) Windows domain, in order to join this domain, donā€™t you need to do it ā€œas an administratorā€ too?
This will require to create entries in AD for both device (server or workstation) joining the domain and potentially user account will have to be created too (OK, this is another process, but this ti highlight that joining the domain is made of 2 different parts, one for the server/workstation, another one for the user).

When you look at Kerberos, both need to get tickets.

1 Like
3

Hi,

No, Clients are not joining the domain as Administrators but as users. Nethserver is configured to work as Client to my domain (like user) not Server. My main purpose is to use nethserver as a simple FileShare PC and then authenticate via ActiveDirectory users from my domain. Thatā€™s why I didnā€™t installed the DC Integration to my Nethserver ā€œnethserver-dcā€ because I donā€™t want to interact as Domain Controller. I am fine with Administrator account but what whould happen if after a month iā€™ll changing the administrator password account from my Domain users? Will the nethserver continue working ?

Thank you

4

Joining Windows domain requires 2 different steps:

  • the very first time your workstation or server joins the domain
  • once you have successfully join target domain, you can authenticate against this domain and connect to it.

As explained by Microsoft, first step does require to use local Admin account

[quote]To join a computer to a domain, you must be logged on to the computer
with the local Administrator account or, if you are logged on to the
computer with a user account that does not have local computer
administrative credentials, you must provide the credentials for the
local Administrator account during the process of joining the computer
to the domain. In addition, you must have a user account in the domain
to which you want to join the computer. During the process of joining
the computer to the domain, you will be prompted for your domain account
credentials (user name and password).[/quote]

Based on this, what do you mean when you say that it requires admin account?

  • admin account to join first time
    or
  • your domain account to open session on this server must be also ā€œdomain accountā€?
5

Yes correct but,

  • In case of Windows client you can either join to domain as a Domain User
  • If I click on Users and Groups, then Active Directory and click Bind

Pasted image911Ɨ389 32.8 KB

Then I get error with kalistosrv user as well as the messages

Oct 31 10:35:16 kalisto dnsmasq-tftp[18676]: TFTP root is /var/lib/tftpboot
Oct 31 10:35:16 kalisto dnsmasq[18676]: using nameserver 10.1.1.1#53 for domain domain.com
Oct 31 10:35:16 kalisto dnsmasq[18676]: using nameserver 10.1.1.1#53
Oct 31 10:35:16 kalisto dnsmasq[18676]: read /etc/hosts - 3 addresses
Oct 31 10:35:16 kalisto esmith::event[18655]: [INFO] dnsmasq restart
Oct 31 10:35:16 kalisto esmith::event[18655]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.262096]
Oct 31 10:35:16 kalisto esmith::event[18655]: Event: nethserver-dnsmasq-save SUCCESS
Oct 31 10:35:49 kalisto dbus[618]: [system] Activating service name=ā€˜org.freedesktop.realmdā€™ (using servicehelper)
Oct 31 10:35:49 kalisto dbus-daemon: dbus[618] [system] Activating service name=ā€˜org.freedesktop.realmdā€™ (using servicehelper)
Oct 31 10:35:49 kalisto dbus[618]: [system] Successfully activated service ā€˜org.freedesktop.realmdā€™
Oct 31 10:35:49 kalisto dbus-daemon: dbus[618] [system] Successfully activated service ā€˜org.freedesktop.realmdā€™
Oct 31 10:35:49 kalisto realmd: * Resolving: _ldap._tcp.domain.com
Oct 31 10:35:49 kalisto realmd: * Performing LDAP DSE lookup on: 10.1.1.1
Oct 31 10:35:49 kalisto realmd: * Successfully discovered: domain.com
Oct 31 10:35:50 kalisto httpd: [ERROR] [ERROR] exit code from realm join operation is 1

Thatā€™s my issue. So maybe nethserver cannot work at all with users with member role as ā€œDomain Usersā€ . Generally it is possible to join a domain with a single user or not ? The reason for this is only to prevent in future disconnection my nethserver from my domain in case of Administrator password change.

Thank you

6

Now is not working either with Administrator.

Oct 31 13:51:13 kalisto esmith::event[1768]: [INFO] dnsmasq restart
Oct 31 13:51:13 kalisto esmith::event[1768]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.244973]
Oct 31 13:51:13 kalisto esmith::event[1768]: Event: nethserver-dnsmasq-save SUCCESS
Oct 31 13:51:17 kalisto dbus[616]: [system] Activating service name=ā€˜org.freedesktop.realmdā€™ (using servicehelper)
Oct 31 13:51:17 kalisto dbus-daemon: dbus[616] [system] Activating service name=ā€˜org.freedesktop.realmdā€™ (using servicehelper)
Oct 31 13:51:17 kalisto dbus[616]: [system] Successfully activated service ā€˜org.freedesktop.realmdā€™
Oct 31 13:51:17 kalisto dbus-daemon: dbus[616] [system] Successfully activated service ā€˜org.freedesktop.realmdā€™
Oct 31 13:51:17 kalisto dbus[616]: [system] Activating via systemd: service name=ā€˜org.freedesktop.PolicyKit1ā€™ unit='polkit.service
ā€™
Oct 31 13:51:17 kalisto dbus-daemon: dbus[616] [system] Activating via systemd: service name=ā€˜org.freedesktop.PolicyKit1ā€™ unit=ā€˜po
lkit.serviceā€™
Oct 31 13:51:17 kalisto systemd: Starting Authorization Managerā€¦
Oct 31 13:51:17 kalisto polkitd[1803]: Started polkitd version 0.112
Oct 31 13:51:17 kalisto dbus[616]: [system] Successfully activated service ā€˜org.freedesktop.PolicyKit1ā€™
Oct 31 13:51:17 kalisto dbus-daemon: dbus[616] [system] Successfully activated service ā€˜org.freedesktop.PolicyKit1ā€™
Oct 31 13:51:17 kalisto systemd: Started Authorization Manager.
Oct 31 13:51:17 kalisto realmd: * Resolving: _ldap._tcp.domain.com
Oct 31 13:51:17 kalisto realmd: * Performing LDAP DSE lookup on: 10.1.1.1
Oct 31 13:51:17 kalisto httpd: [ERROR] [ERROR] exit code from realm join operation is 1
Oct 31 13:51:17 kalisto realmd: * Successfully discovered: domain.com

Pasted image1162Ɨ395 66.7 KB

Any idea please?

Thank you

7

Ok,

I was able to figure out the issue. By default only Administrator can validate the domain join. But you can trigger the join over CMD as per http://docs.nethserver.org/projects/nethserver-devel/en/v7b/nethserver-dc.html#manual-join

I was trying that with domain user other than Administrator and it worked. But since this is manual I need to bind the domain with nethserver whcih I donā€™t know how to do that over CMD. Eg:

realm join -v -U kalistosrv domain.com
Password for kalistosrv:

Everything went smooth and now I can type
getent passwd administrator@domain.com and see the results.

But how I will continue to the rest of binding ? GUI still stucks with choosing active directory.

8

Nevermind I figured out the solution. Ok to conclude and close this case.

I thought that might be an issue if currently logged on as Administrator but latter on change the administrator password of my domain and so the nethserver might not work. But the case here is that Nethserver as any windows client at their first ā€œvirginā€ join of the domain they need an Administrator account or either use account to just join the domain and fetch the LDAP schema. After successfully join the NethServer can continue operate EVEN without correct credential of Administrator Domain account. So everything is ok.

Thank you

9

Which is basically what Microsoft link explains :wink:
Cool if it works now as expected.

What do you mean by ā€œfetching LDAP schemaā€ ?