Joining Nethserver as a Domain member AccountProvider_Error_104

NethServer Version: 7.3.1611 (rc3)
Module: AD

Hi
I have been struggling joining my nethserver to a windows domain.

I have a Windows 2012 Server which runs AD today.
Is there a guide for connecting the nethserver to Windows ad?

If I understand it correct, I will be able to use my windows domain accounts to give different kinds of rights to samba share, cloud and so on.

I tried to connect in this account provider setting, but I only get
AccountProvider_Error_104

I might be missing something here.

1 Like

I’m missing something too :joy:

Could you have a look to /var/log/messages? Does it say something more?

With MS-AD, you need a dedicated user account:

http://docs.nethserver.org/en/v7rc/accounts.html#join-an-existing-active-directory-domain

1 Like

We all are missing thins :wink:

This is the log

Dec 22 11:35:28 ddd-app-01-2 esmith::event[18200]: Action: /etc/e-smith/events/nethserver-sssd-update/S00initialize-default-databases SUCCESS [0.507875]
Dec 22 11:35:28 ddd-app-01-2 esmith::event[18200]: expanding /etc/openldap/ldap.conf
Dec 22 11:35:28 ddd-app-01-2 esmith::event[18200]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.369403]
Dec 22 11:35:28 ddd-app-01-2 esmith::event[18200]: Event: nethserver-sssd-update SUCCESS
Dec 22 11:35:28 ddd-app-01-2 esmith::event[17986]: Action: /etc/e-smith/events/nethserver-sssd-save/S80nethserver-sssd-notifyclients SUCCESS [21.26717]
Dec 22 11:35:29 ddd-app-01-2 systemd: Reloading.
Dec 22 11:35:29 ddd-app-01-2 esmith::event[17986]: [INFO] sssd is disabled: skipped
Dec 22 11:35:29 ddd-app-01-2 esmith::event[17986]: [INFO]
Dec 22 11:35:29 ddd-app-01-2 esmith::event[17986]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.375162]
Dec 22 11:35:29 ddd-app-01-2 esmith::event[17986]: Event: nethserver-sssd-save FAILED
Dec 22 11:35:33 ddd-app-01-2 httpd: [ERROR] NethServer\Tool\GroupProvider: AccountProvider_Error_104
Dec 22 11:35:33 ddd-app-01-2 httpd: [ERROR] Connection reset by peer

I have a dedicated user aswell.
But does that need any special access?

As the manual page says:

Create a dedicated user account in AD, and set a complex non-expiring password for it.

MS AD does not allow LDAP simple binds with computer accounts. That’s the reason why we need such account.

Does your AD allow ldaps:// ? It must have an SSL certificate for it…

For a MS-AD instance I followed this:

https://support.microsoft.com/en-us/kb/321051

As alternative you can set ldap:// in LDAP URI field under “Accounts provider > Advanced settings”, but users’ password are exposed in clear text: do not do it in production!

2 Likes

yes ofc.
That I understood :wink:
But don’t need any domain rights. like admin

That might be the case. :smiley:
I will look into it…
Thanks :smiley:

1 Like

I did follow a similar guide since this was for Server 2003.
But it was basically the same
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
(only when testing ldap connection I used port 389 instead of the 636 staten in the guide)

But now it is working. So thanks :smiley:

1 Like