Login of Neth-AD Users on linux clients fails / Userhome creation upon initial login to the domain

NethServer 7.9.2009
Active Directory Domain

Hello Nethserver community,

Is it possible to configure local userhome creation for linux boxes on initial login to Neth-AD? Or is there a howto which helps configuring Linux Distributions to successfully login to a AD Domain provided by nethserver? We do not need a userhome on the server, but can live with it if thats the way it should be done.

I tried with different distributions (debian 11, opensuse leap 15.4, gentoo) but was not yet successfull. Joining domain works fine, getting a ticket by kinit too.

According to logs the authentication is successfull, so I am not even sure if it has something to do with the nethserver, but rather could be a problem of the mentioned linux boxes? Like not being logged in as the local userhome is not created successfully?

And from reading there are different approaches to let linux clients authenticate, like sssd (configured by realmd) or winbind.

Things I have tried sofar:
Source (german): Linux Active Directory/LDAP SSH Login mit sssd und realmd » schroeffu.blog
Installed a new server without any additional packages. Then added the following packages:
apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli chrony

• creating a domain: domain.tld instead of ad.domain.tld
• joining domain by realmd
• joining domain of susebox by yast
• authenticating by winbind

After some days on try and error, I thought I should report here and ask for help.

Steps I have done on debian, which successfully lets me join the domain:

Configuring /etc/network/interfaces /etc/resolv.conf and /etc/hosts so it shows the correct name, and the default gateway and dns server corresponds to the green interface of the nethserver.

Created /etc/realmd.conf with the following:

[users]
default-home = /home/%d/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = {{ Debian }} Server
os-version = {{ 11 - Bullseye }}
[service]
automatic-install = no
[domain.tld]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no
# computer-ou={{ ou_to_join_servers }

Added a line at the end of the file in /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

And then joined domain with:
realm --verbose join MYDOM.XY -U Administrator

When trying to login I het the following in /var/log/auth.log:
Mar 9 14:12:34 Hostname login[555]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=username
Mar 9 14:12:34 Hostname login[555]: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=username
Mar 9 14:12:34 Hostnamelogin[555]: pam_sss(login:account): Access denied for user username: 6 (Permission denied)
Mar 9 14:12:34 Hostname login[555]: Permission denied

and in /var/log/messages I see:
Mar 9 14:20:15 hostname kernel: [ 1166.727809] audit: type=1400 audit(1678368015.214:2751): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/etc/passwd" pid=850 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I’ll atach the procedure I went through with opensuse leap after having it reproduced and its respective errors, but the symptoms ar all the same

• join domain ok
• login nok
• kinit user / klist user - ok.

I also tried different ways of putting the username: user@domain.tld user@DOMAIN.TLD NETBIOSDOMAINNAME\user. And is there a prefered way to authenticate, winbind vs. sssd or doesn’t that matter and both should work?

What am I missing?

Is there a tutorial where it lists what files have to be modified and how, in order to login a linux box authenticated by nethserver ad domain? nsswitch.cnf, session-common, krb5.conf sssd.conf ?

Any tests, I could do or logs I should provide in order for you to be able to help me on this?

Last but not least - I wrote Alessio as I would like to get my account with username Elleni back by changing it to correspond to another emailadress as I do not have access anymore to the registered emailadress, so if any other mod could help me on this I would be glad to hear from you.

Hi @Leni

Try this, it should help:

My 2 cents
Andy

Hi Andy,

I would rather not install a script but want to know what to configure so we can depoly this later with ex. ansible at scale. Furthermore I have no gui as I installed a minimal debian and opensuse server without any packages but the most basic ones.

Suse Autoconfig via Yast → Network Services → Windows Domainmembership. Realized that the service sssd does not start.

2023-03-09T16:36:32.338111+01:00 hostname login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=username@domain.tld
2023-03-09T16:36:32.339432+01:00 hostname login: pam_winbind(login:auth): getting password (0x00000190)
2023-03-09T16:36:32.339477+01:00 hostname login: pam_winbind(login:auth): pam_get_item returned a password
2023-03-09T16:36:32.372230+01:00 hostname login: pam_winbind(login:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon is invalid. This is either due to a bad username or authentication information.
2023-03-09T16:36:32.372288+01:00 login: pam_winbind(login:auth): user ‘NETBIOSDOMAIN\username’ denied access (incorrect password or invalid membership)

Source: How To join an openSUSE Leap 42.2 Linux Client into an existing Windows ActiveDirectory using SSSD Authentication – FreeCastle IT (wordpress.com)

Edit to add that the installation of the mentioned modules did not let the service start successfully

Will now try manual approach in suse, both winbind and winbind approach to see where it gets. And if both are not successfull I’ll try to setup an ubuntu vm and see where it gets. In everycase I would be very glad to hear if winbind or sssd is the way to go, and if anyone has a solution for this…

@Leni do your setup need a granular access to SMB shares?
Use AD authentication on linux as SSO might be useful but sometimes break the concepts of the OS.

no access to shares needed, not even a shared userhome. We shall use it primarily for useradministration. And it has to be ad as there are also windows clients. I now setup minimal vms and have trouble logging into the domain although the join domain of the clients works fine

Personal opinion: there’s no universal recipe.
Every distro deal with AD integration (even one made by NethServer) in it’s own way, so maybe the best path should be read a lot of documentation from the distro for AD Integration. Then try to write some notes for correct configuration.

Fun fact: “supported” (payed) linux client distro have better experience/kb/howto for that. But that’s not GPL, sometimes.

As a matter of fact thats what I am doing for days now, reading documentations. So I came across that it can be done via sssd or via winbind, correct? My goal is to have a solution that works on different distributions, as I want to deploy this network-wide later for example by ansible.

I gained the impression that kerberos and sssd is the way to go. its a pitty that although kerberos setup seems ok as I can do a kinit / klist and get informations from the domain, and I even am able to see pam_sssd authenticates successfully, on the console, it immediatelly logs me out after what seems a successfull login. I suspect its a problem with userhome not being there but I am not sure. I have put the corresponding line in /etc/pam.d/session-common. Now I dont know if I should give up and try the winbind method.

However after spending time with not much progress I thought I should write here too while I continue to investigate the problem. And it would be helpful to know if continue trying to solve this better by the sssd/kerberos/realmd approach or by winbind. As said - joining a linux box to the domain works fine, its the unsuccessfull login afterwards that I am fighting with. I’ll try to start over and report step by step and take a more structured approach

I restarted and went step by step following this guide on a debian box, as this howto seems accurate:

On the step of switching user to domainuser from root console, and thus creating the userhome, I get a systemerror. Following the link on the relevant part of the /var/log/messages log.

Does anyone understand what the problem could be? Or see the relevant part on the following log, or is there another log that I could provide, and that could be helpful indentifying the source of the problem?

Btw. Shouldnt the umask rather be 0077 than 0022.

Edit to add, that auth log reads:

Mar 10 09:55:57 HOSTNAME su: pam_sss(su-l:account): Access denied for user username@domain.tld: 4 (Systemerror)
Mar 10 09:55:57 HOSTNAME su: FAILED SU (to username@tomain.tld) sshusername on pts/0

Meanwhile the /varr/log/sssd/sssd_domain.tld.log prints the following when trying to su - user@domain.tld:

(2023-03-10 10:12:39): [be[domain.tld]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(2023-03-10 10:12:39): [be[domain.tld]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Das Argument ist ungültig]
(2023-03-10 10:12:39): [be[domain.tld]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Das Argument ist ungültig}
(2023-03-10 10:12:39): [be[domain.tld]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(2023-03-10 10:12:39): [be[domain.tld]] [child_sig_handler] (0x0020): child [850] failed with status [1].

/var/log/syslog:

Mar 10 10:12:39 HOSTNAME kernel: [ 1495.783731] audit: type=1400 audit(1678439559.255:4536): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexe>
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.787978] audit: type=1400 audit(1678439559.259:4537): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd//null-/usr/lib>
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.787991] audit: type=1400 audit(1678439559.259:4538): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexe>
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789663] audit: audit_backlog=65 > audit_backlog_limit=64
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789664] audit: audit_lost=461 audit_rate_limit=0 audit_backlog_limit=64
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789665] audit: backlog limit exceeded
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789802] audit: audit_backlog=65 > audit_backlog_limit=64
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789803] audit: audit_lost=462 audit_rate_limit=0 audit_backlog_limit=64
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789803] audit: backlog limit exceeded
Mar 10 10:12:39 HOSTNAME kernel: [ 1495.789927] audit: audit_backlog=65 > audit_backlog_limit=64
Mar 10 10:15:33 HOSTNAME kernel: [ 1669.701423] kauditd_printk_skb: 726 callbacks suppressed
Mar 10 10:15:33 HOSTNAME kernel: [ 1669.701425] audit: type=1400 audit(1678439733.173:4936): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexe>

I raised debug level of sssd_domain.tld.log and sssd.log just in case someone can help me on this:

Wait what … setting ad_gpo_access_control=disabled as described here now reads:

su - username@hdomain.tld
create dir '/var/lib/nethserver/home/username'.
su: failed to execute /usr/libexec/openssh/sftp-server: file or directory not found

This somehow explains the trouble, I mean why does the linux client that I try to login with a domain account or switch the user to the domain account for that matter - try to create a userhome on nethserver in the first place? And by trying it it is missing a component (sftp-server) to remotely be able to create it?

Is that behaviour to be expected? What does the client need to be able to do its magic? Or can it simply be a problem that nethserver ssh port was changed to a non standard port which the client can’t know so ssh to the server to create a userhome doesnt work? I don’t understand why in this scenario the client joined to neth ad domain is trying to create a userhome on the server anyway. Can this be disabled and if so - how?

I restarted and this time I left the step of creating a userhome by activating mkhomedir away completely, and now the message reads
`su: warning: cannot change directory to /var/lib/nethserver/home/username: Datei oder Verzeichnis nicht gefunden

su: failed to execute /usr/libexec/openssh/sftp-server: Datei oder Verzeichnis nicht gefunden`

So where is the userhome path of domainusers defined (gpo?), and how can I change this so a local folder named domain.tld gets created on the linux box the first time a domain user tries to login, and as subfolder the userhome folder of the domain users are created locally? Or do I have to create the domain.tld folder manually and if so what would be the correct permissions so user can see their subfolders that will be created but not the userhomes of other users?

@support_team Now that I narrowed down the problem apparently being the userhome creation maybe you can give some usefull hints on:

• As it is apparently intended that a userhome is automatically created on the servers /var/lib/nethserver/home by the domain users logging in on their (windows- and/or linux workstations) the first time, where on the nethserver can this behaviour be configured or deactivated so the userhomes are only created locally in the local workstation profiles?
• Can the path be adapted so the userhome is created somewhere else?
• What do linux boxes need, to be able to create a userhome on nethserver?

Thanks in advance for clarifying that for me or for pointing me to the relevant part of the documentation in case i just did not find it.

Keep up your great work.

anyone?

Desired changes won’t be easily done.

• User home folder is created when the PAM session is established.
• Paths are set (at least) from /etc/e-smith/events/actions/nethserver-dc-user-create script (but other scripts/modules might rely on those default paths).
• /usr/libexec/openssh/sftp-server is the default shell assigned to domain users (on old server-manager there was an option to allow remote ssh but was replaced in cockpit with default values for users and further control over system->settings->shell policy and the ssh configuration page). This might be needed for instance to let users change their password on cockpit…

Hi Dnutan and thanks for yor feedback.

I understand and dont necessarily want to change those settings then. Thing is, the userhome is not created and the user cannot login on my linux box, so I have to find out how I can fix this sftp-server file or directory not found issue.

I setup a standard fedora workstation and not a minimal server to check if some component is missing that allows the creation of the userhome. Join domain works successfully as with the minimal servers.

I made some small progress in the way that I am now able to login gnome/gdm with the domain account domainuser@domain.tld. But the creation of th userhome still fails as opening the file browser I get the error:

/var/lib/nethserver/home/domainsusername not found.

I also tried to give the domainuser

• shell access
• domain admin rights

but still the same. So is my guess correct that my problem has to do something with the nethserver configuration? What am I missing?

Ubuntu setup reacts exactly the same, if I I do not add the following line in /etc/pam.d/common-session:
session optional pam_mkhomedir.so skel=/etc/skel umask=077

Meaning it states it cannot create the userhome in /var/lib/nethserver/home
But it does create the userhome folder locally in mentioned path once the above session optional entry is added to common-session file. However it does create it locally on the path /var/lib/nethserver/home

While nethserver creates and shares the userhome on smb://nethservername/domainusername, right?

I’ll try the same on the other testboxes and report back in case this can be of help ton anybody.

Meanwhile I would really appreciate some input on how one is supposed to configure the linux clients in order to work as expected. Ex. should I just have the session optional line configured so the linux client does not complain that it cant create the userhome (locally) at the path /var/lib/nethserver/home and simply additionally mount the userhome by fstab to /home/domain.tld/username somehow?

I have yet to find out, how this configuration works in fedora, in the meantime I’ll try to setup my debian and opensuse servers to see if I can login with the domainuser and would kindly appreciate some hints to the right direction. Thanks in advance.

Edit to add that although the same packages were all installed in debian minimal server and sssd.conf and common-session.conf is identical the debian does not let me login with the domainuser