NethServer 7.9.2009
Active Directory Domain
Hello Nethserver community,
Is it possible to configure local userhome creation for linux boxes on initial login to Neth-AD? Or is there a howto which helps configuring Linux Distributions to successfully login to a AD Domain provided by nethserver? We do not need a userhome on the server, but can live with it if thats the way it should be done.
I tried with different distributions (debian 11, opensuse leap 15.4, gentoo) but was not yet successfull. Joining domain works fine, getting a ticket by kinit too.
According to logs the authentication is successfull, so I am not even sure if it has something to do with the nethserver, but rather could be a problem of the mentioned linux boxes? Like not being logged in as the local userhome is not created successfully?
And from reading there are different approaches to let linux clients authenticate, like sssd (configured by realmd) or winbind.
Things I have tried sofar:
Source (german): Linux Active Directory/LDAP SSH Login mit sssd und realmd Ā» schroeffu.blog
Installed a new server without any additional packages. Then added the following packages:
apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli chrony
- creating a domain: domain.tld instead of ad.domain.tld
- joining domain by realmd
- joining domain of susebox by yast
- authenticating by winbind
After some days on try and error, I thought I should report here and ask for help.
Steps I have done on debian, which successfully lets me join the domain:
Configuring /etc/network/interfaces /etc/resolv.conf and /etc/hosts so it shows the correct name, and the default gateway and dns server corresponds to the green interface of the nethserver.
Created /etc/realmd.conf with the following:
[users]
default-home = /home/%d/%U
default-shell = /bin/bash
[active-directory]
default-client = sssd
os-name = {{ Debian }} Server
os-version = {{ 11 - Bullseye }}
[service]
automatic-install = no
[domain.tld]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no
# computer-ou={{ ou_to_join_servers }
Added a line at the end of the file in /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
And then joined domain with:
realm --verbose join MYDOM.XY -U Administrator
When trying to login I het the following in /var/log/auth.log:
Mar 9 14:12:34 Hostname login[555]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=username
Mar 9 14:12:34 Hostname login[555]: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=username
Mar 9 14:12:34 Hostnamelogin[555]: pam_sss(login:account): Access denied for user username: 6 (Permission denied)
Mar 9 14:12:34 Hostname login[555]: Permission denied
and in /var/log/messages I see:
Mar 9 14:20:15 hostname kernel: [ 1166.727809] audit: type=1400 audit(1678368015.214:2751): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss" name="/etc/passwd" pid=850 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Iāll atach the procedure I went through with opensuse leap after having it reproduced and its respective errors, but the symptoms ar all the same
- join domain ok
- login nok
- kinit user / klist user - ok.
I also tried different ways of putting the username: user@domain.tld user@DOMAIN.TLD NETBIOSDOMAINNAME\user. And is there a prefered way to authenticate, winbind vs. sssd or doesnāt that matter and both should work?
What am I missing?
Is there a tutorial where it lists what files have to be modified and how, in order to login a linux box authenticated by nethserver ad domain? nsswitch.cnf, session-common, krb5.conf sssd.conf ?
Any tests, I could do or logs I should provide in order for you to be able to help me on this?
Last but not least - I wrote Alessio as I would like to get my account with username Elleni back by changing it to correspond to another emailadress as I do not have access anymore to the registered emailadress, so if any other mod could help me on this I would be glad to hear from you.