You are not logged in.

#1 2017-03-29 18:06:01

eMdzeJ
Member
Registered: 2017-03-29
Posts: 2

Arch and Active Directory problem

Hi,

I've just installed Arch on my work notebook. Everything working perfectly execpt AD integration.

I followed this turtiorial:
https://wiki.archlinux.org/index.php/Ac … ntegration

I can get kerberos ticket, add computer to domain, wbinfo -g and wbinfo -u works. getent also works. All of diagnostic commands are working. I have problem with pam config hmm

after settings pam and nssswitch options form manual, after logon  I get:

mar 29 19:43:29 linux login[1764]: pam_tally(login:auth): pam_get_uid; no such user
mar 29 19:43:29 linux login[1764]: pam_winbind(login:auth): getting password (0x00000000)
mar 29 19:43:32 linux login[1764]: pam_winbind(login:auth): user 'test.user' granted access
mar 29 19:43:32 linux login[1764]: FAILED LOGIN 1 FROM tty3 FOR test.user, Authentication failure


I commented pam_lally in system-logon and get the same Authentication failure from console but without pam_tally error.

To test I switched winbind to sssd and after some changes in system-auth and nsswitch I can logon to domain. But I wonder why config with winbind desn't work.

Can you share your config? Or maybe sssd is the only option?

Offline

#2 2017-11-27 19:50:28

AveryFreeman
Member
Registered: 2017-11-25
Posts: 25

Re: Arch and Active Directory problem

I also followed that guide, but I had some experience setting up CentOS for my domain, as well, so my setup slightly diverged from the Arch wiki

in /etc/nsswitch.conf I have

passwd: files sss winbind
shadow: files sss winbind
group: files sss winbind

and my samba config includes:

client signing = auto
server signing = auto

to avoid messing with the GPO on the AD server that requires AD-wide client signing (seemed like a bad idea).  I actually changed the wiki when I saw that because, besides the obvious security issues for the whole network, many people trying to use AD might not have GPO-editing permissions for the AD they're trying to use, like, say, in a work environment.

lastly, the backend in the wiki in smb.conf was rid.  I changed that to tdb.  But if you already have wbinfo and getent working properly, that's probably not it.

Try those out and see if helps!

There's also the official page that often gets overlooked:  https://wiki.samba.org/index.php?title= … ldid=14014

Edit:  Re SSSD or Winbind, It most likely depends on what technologies your AD is using - it might be something to discuss with your sysadmin.  I have to admit, I don't know enough about it (or your domain) to make a recommendation, but I found a couple good articles:

http://rhelblog.redhat.com/2015/04/02/sssd-vs-winbind/
https://access.redhat.com/documentation … de/winbind

Last edited by AveryFreeman (2017-11-27 22:27:28)

Offline

#3 2017-11-28 00:56:00

AveryFreeman
Member
Registered: 2017-11-25
Posts: 25

Re: Arch and Active Directory problem

Here's a reason to use sssd -- it can make up for the fact that Microsoft depreciated the Unix attributes module for AD server.  https://access.redhat.com/articles/2203991

Offline

Board footer

Powered by FluxBB