AD with ubuntu client - does not work

gerald_FS · October 1, 2021, 6:06pm

Recently ihc can no longer log in with my domain accounts.

With the last updates the “sssd” was updated, shortly afterwards ken login was more possible.

The setup was done with two different HowTo, but both do not bring the desired success.
https://community.nethserver.org/t/howto-for-neth-7-as-ad-pdc-and-file-server-with-ubuntu-and-windows-clients/8685
https://community.nethserver.org/t/ubuntu-mate-20-10-join-active-directory-domain-during-install/16784

Why can’t you get a reasonable way to make it work over the long term?

A new version of ubuntu and zack everything no longer works, a lot of manual work and then it works again - that’s not nice.
Unfortunately not this time.

Nethserver current version made all update
Client:
xubuntu 04/18/05
xubuntu 21.10 (beta)

behave the same with both cliewnts.

I have successfully joined the domain but it is not possible to register the users.

Regards
Gerald

root@NAND-APC1:/etc/security# systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-10-01 18:50:55 CEST; 56min ago
   Main PID: 34040 (sssd)
      Tasks: 4 (limit: 9128)
     Memory: 42.5M
     CGroup: /system.slice/sssd.service
             ├─34040 /usr/sbin/sssd -i --logger=files
             ├─34041 /usr/libexec/sssd/sssd_be --domain nandlnet.de --uid 0 --gid 0 --logger=files
             ├─34042 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             └─34043 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Okt 01 18:50:55 NAND-APC1 sssd_pam[34043]: Starting up
Okt 01 18:50:55 NAND-APC1 systemd[1]: Started System Security Services Daemon.
Okt 01 18:51:05 NAND-APC1 sssd[34063]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Okt 01 18:51:05 NAND-APC1 sssd[34063]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Okt 01 18:51:05 NAND-APC1 sssd[34067]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Okt 01 18:51:05 NAND-APC1 sssd[34067]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Okt 01 18:51:05 NAND-APC1 sssd[34071]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Okt 01 19:03:25 NAND-APC1 adcli[35397]: GSSAPI client step 1
Okt 01 19:03:25 NAND-APC1 adcli[35397]: GSSAPI client step 1
Okt 01 19:03:25 NAND-APC1 adcli[35397]: GSSAPI client step 1

pike · October 2, 2021, 4:13am

AFAIK xubuntu 21.10 is just fresh cooked by Canonical and Developers. It wil be out of support at June 2022. It’s mandatory for you to use this release, or you think that xubuntu 20.04.3 (point release of august) could lead you to the same result, on that installation?

gerald_FS · October 2, 2021, 9:22am

Good Morning,

yes i have tested it with the following versions:

a = xubuntu 18.04.5
b = xubuntu 20.04.3
c = xubuntu 21.10 (beta)

it worked for a long time with the first two.
After I set up my NS last week, I also wanted to redesign my small living room computer.
I join the domain, but there is no user authentication and the sssd service on the client throws the above error message (see entry)

Gerald

mrmarkuz · October 2, 2021, 1:18pm

I tried with Xubuntu 21.4 and I have similar issues, domain join works, login at display manager or ssh does not work.

For example with Opensuse Leap clients the AD membership including login work without issues.

There seems to be a change in ubuntu 20:

I followed the steps from the samba wiki.

Here is what worked and what didn’t work in my tests:

Show domain users with wbinfo:

root@ubuntu:~# wbinfo -u
MRMARKUZ\markus
MRMARKUZ\ldapservice
...

Show domain user from passwd shows nothing…

root@ubuntu:~# getent passwd "MRMARKUZ\markus"
root@ubuntu:~#

List realms:

root@ubuntu:~# realm list
ad.mrmarkuz.domain.org
  type: kerberos
  realm-name: AD.MRMARKUZ.DOMAIN.ORG
  domain-name: ad.mrmarkuz.domain.org
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: libnss-winbind
  required-package: winbind
  required-package: libpam-winbind
  required-package: samba-common-bin
  login-formats: MRMARKUZ\%U
  login-policy: allow-any-login

Here’s the journalctl log when I try to login via ssh

Oct 02 14:56:17 ubuntu sshd[9060]: Invalid user MRMARKUZ\\admin from 192.168.1.100 port 60035
Oct 02 14:56:37 ubuntu sshd[9060]: pam_unix(sshd:auth): check pass; user unknown
Oct 02 14:56:37 ubuntu sshd[9060]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.100
Oct 02 14:56:37 ubuntu sshd[9060]: pam_winbind(sshd:auth): getting password (0x00000388)
Oct 02 14:56:37 ubuntu sshd[9060]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 02 14:56:37 ubuntu sshd[9060]: pam_sss(sshd:auth): Request to sssd failed. Connection refused

Here the login from lightdm:

Oct 02 15:02:33 ubuntu lightdm[1067]: pam_unix(lightdm:auth): check pass; user unknown
Oct 02 15:02:33 ubuntu lightdm[1067]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Oct 02 15:02:33 ubuntu lightdm[1067]: pam_winbind(lightdm:auth): getting password (0x00000388)
Oct 02 15:02:33 ubuntu lightdm[1067]: pam_winbind(lightdm:auth): pam_get_item returned a password

I’ll report, if I find a solution…

gerald_FS · October 2, 2021, 3:41pm

First of all, thank you for your help!

but why does it not work with the older versions xubuntu, as soon as a version that is too new is installed there are problems.

Am i the only one?

Gerald

mrmarkuz · October 2, 2021, 4:02pm

Maybe because an update changes the way samba works or the config system of Ubuntu for example changes the /etc/samba/smb.conf when packages are configured.

EDIT:

Using winbind instead of sss is works here!

Here are my config files/steps:

Install packages:

apt install krb5-config libpam-winbind samba realmd adcli krb5-user krb5-user libpam-krb5 libnss-winbind

Edit /etc/resolv.conf to use correct nameserver and search domain.

/etc/samba/smb.conf:

   workgroup = MRMARKUZ
   security = ADS
   realm = AD.MRMARKUZ.DOMAIN.ORG

   idmap config MRMARKUZ:backend = rid
   idmap config MRMARKUZ:range = 70000-1000000

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind enum users = yes
   winbind enum groups = yes

   template shell = /bin/bash
   template homedir = /home/%U

Set FQDN and IP in /etc/hosts:

127.0.0.1       localhost
192.168.1.154   ubuntu.ad.mrmarkuz.domain.org ubuntu

Edit 2 lines in /etc/nsswitch.conf:

passwd:         files winbind systemd
group:          files winbind systemd

/etc/krb5.conf:

[libdefaults]
	default_realm = AD.MRMARKUZ.DOMAIN.ORG
	dns_lookup_realm = false
	dns_lookup_kdc = true

[realms]
	AD.MRMARKUZ.DOMAIN.ORG = {
	kdc = nsdc-server2.ad.mrmarkuz.domain.org
	admin_server = nsdc-server2.ad.mrmarkuz.domain.org
	default_domain = AD.MRMARKUZ.DOMAIN.ORG
        }

[domain_realm]
	.ad.mrmarkuz.domain.org = AD.MRMARKUZ.DOMAIN.ORG
	ad.mrmarkuz.domain.org = AD.MRMARKUZ.DOMAIN.ORG

Join domain as user admin:

net ads join -U admin

Restart services:

systemctl restart smbd nmbd winbind

Test:

getent passwd

You should see your domain users…and SSH and lightdm logins of domain users should work.

Source:

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

fausp · October 3, 2021, 5:14am

Had the same issue with Almalinux Workstation, Nethserver Samba AD domainjoin works but not the login to it…

Did a test with a windows server 2019 domainjoin and that worked with Almalinux…

BDW it is very easy to do a domainjoin with Almalinux: How to easily join an AlmaLinux server to an Active Directory Domain with Cockpit

This is the output from Almalinux /var/log/sssd/sssd_ad.mydomain.lan.log:

(2021-10-03  7:20:08): [be[ad.mydomain.lan]] [write_krb5info_file_from_fo_server] (0x0020): There is no server that can be written into kdc info file.
(2021-10-03  7:20:08): [be[ad.mydomain.lan]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(2021-10-03  7:20:09): [be[ad.mydomain.lan]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Das Argument ist ungültig]
(2021-10-03  7:20:09): [be[ad.mydomain.lan]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Das Argument ist ungültig}
(2021-10-03  7:20:09): [be[ad.mydomain.lan]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(2021-10-03  7:20:09): [be[ad.mydomain.lan]] [child_sig_handler] (0x0020): child [2955] failed with status [1].

mrmarkuz · October 9, 2021, 5:29pm

@gerald_FS could you solve the AD login issue in the meanwhile? There’s a working script to ease the domain join and login works too.