How to join a Linux-Desktop to NS7 Active Directory with realmd?

activedirectory
v7

(fpausp) #1

I used this HowTo to join a Fedora Client to Nethserver 7 AD:

The Problem is only the AD-user Administrator is able to login… Any suggestions to solve this ?


Looking for HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients
(Davide Principi) #2

The -U flag is required:

realm join -U admin ...

Provided you set a password for the admin’s account


(fpausp) #3

Hi, I used this to join the domain on a fresh installed Fedora 27 Client:

[support@fed001 ~]$ realm discover example.com
example.com
type: kerberos
realm-name: EXAMPLE.com
domain-name: example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools

[support@fed001 ~]$ sudo realm join -U admin example.com

[sudo] password for support:
Password for admin:

  • Installing necessary packages: oddjob oddjob-mkhomedir

Only the user Administrator@example.com is able to logon, I guess the problem is the creation of the homedirectory… The user admin@example.com fails …

support is a local Fedora 27 user…


(Markus Neuberger) #4

Hi @fausp,

I tried it and the join works but I can’t see an AD user with ‘id’ or a login screen like yours…will give it another try!


(fpausp) #5

Hi Markus, I use Fedora-Workstation-Live-x86_64-27-1.6.iso on the client side…

Please check the AD join with:

realm list


(Markus Neuberger) #6

The join works, “realm list” gives me the joined realm but “id” not working. I’ll try to resetup…


(fpausp) #7

[support@fed001 ~]$ realm list
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@example.com
login-policy: allow-realm-logins

[support@fed001 ~]$ id Administrator@example.com
uid=443200500(administrator@example.com) gid=443200513(domain users@example.com) groups=443200513(domain users@example.com),443200520(group policy creator owners@example.com),443200519(enterprise admins@example.com),443200512(domain admins@example.com),443200518(schema admins@example.com),443200572(denied rodc password replication group@example.com)


(Markus Neuberger) #8

:cry:

[markus@fedora ~]$ realm list
ad.cmb.local
  type: kerberos
  realm-name: AD.CMB.LOCAL
  domain-name: ad.cmb.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U@ad.cmb.local
  login-policy: allow-realm-logins
[markus@fedora ~]$ id Administrator@ad.cmb.local
id: „Administrator@ad.cmb.local“: Einen solchen Benutzer gibt es nicht
[markus@fedora ~]$

The error is “user does not exist”.


(Davide Principi) #9

Maybe each realm account must be enabled separately. See the realm manpage.


(Markus Neuberger) #10

I tried to permit the accounts but it doesn’t work. @fausp has it working, at least as admin.

I try reinstalling Fedora now, maybe there were problems with existing users with same name or I already changed some config files…I should remember to snapshot :slight_smile:
I couldn’t even join with “realm join AD.DOMAIN.LOCAL”, I had to use the samba containers IP (realm join IP).


(fpausp) #11

The join works with Administrator@example.com and admin@example.com but only user Administrator@example.com is able to logon Fedora 27 Client…

Sounds like a DNS Problem, do you use dhcp ?

[root@fed001 sssd]# getent passwd Administrator@EXAMPLE.COM
administrator@example.com:*:443200500:443200513:Administrator:/home/administrator@example.com:/bin/bash

[root@fed001 sssd]# getent passwd admin@EXAMPLE.COM
admin@example.com:*:443201104:443200513:admin:/var/lib/nethserver/home/admin:/usr/libexec/openssh/sftp-server

[root@fed001 sssd]# id Administrator@EXAMPLE.COM
uid=443200500(administrator@example.com) gid=443200513(domain users@example.com) groups=443200513(domain users@example.com),443200520(group policy creator owners@example.com),443200519(enterprise admins@example.com),443200512(domain admins@example.com),443200518(schema admins@example.com),443200572(denied rodc password replication group@example.com)

[root@fed001 sssd]# id admin@EXAMPLE.COM
uid=443201104(admin@example.com) gid=443200513(domain users@example.com) groups=443200513(domain users@example.com),443200572(denied rodc password replication group@example.com),443200512(domain admins@example.com),443201106(g_firma@example.com)


(Markus Neuberger) #12

Yes, I did use DHCP but it was strange, “nslookup ad.domain.local” worked, ping the resolved domain IP didn’t work. Reinstalling now, I’ll try with static IP.


(fpausp) #13

god bless virtualization :grin:


(Alessio Fattorini) #14

I guess that @iglqut can help here, he made some tests with Suse


(Dr Thomas Quinton) #15

Working great and simple, we are now using even Server based User directories on the users share at NS (find that features at the Windows Domain Join (YAST) screen withe the extras) -

Servername: your Server IP (not the name!)

distant path; %(DOMAIN_USER) => als Variable

Einhängepunkt: ~/ => Linux User Home

Optionen: user=%(DOMAIN_USER)

UserName: leave empty

have fun :fireworks:


(fpausp) #16

OK Thomas, I would like to try the suse Client, do you have a download link for me ?


(Dr Thomas Quinton) #17

https://software.opensuse.org/distributions/leap
I use the big one not the Net one. Enjoy!


(fpausp) #18

Hi Thomas, thank you for the hint. I am a bit busy atm, I will try it in a few days…

regards
Franz


(fpausp) #19

AGN, thank you for your help, Thomas. I just like to give you all a feedback what I have tested…

I tried both, openSUSE Leap and openSUSE Tumbleweed Client and joined them to the NethServer AD.

All Screenshots are from openSUSE Tumbleweed Client:

Open YAST and afterwards “Windows Domain Membership”:

Add Mount Server Directories:

Membership:

Reboot your Machine now !

Use EXAMPLE\admin as Username to logon to AD, HomeDir should be created:


(Dr Thomas Quinton) #20

Cool done- thank´s for posting! Any problems yet?