You are not logged in.
I am setting up a new computer for work on the Domain. I got everything working from the wiki, but when I restart it doesn't work. I cannot login with my Domain account or normal user account (same username), but I can thankfully get root access.
If I login as root and restart smbd,nmbd,winbindd then I can switch consoles and login with my Domain account but starting kdm still does not let me login with local or Domain account.
systemctl show all services starting successfully on startup.
Thank you in advance for your help.
Offline
Ok, so what I think needs to happen is to make sure smbd et al are started once dhcpcd is done.
systemctl status kdm after trying to login shows "pam_loginuid(kde:session): set_loginuid failed" a bunch of times.
Offline
Just stopped samba loading on start. Hopefully I can come back to this at a later date to fix.
Offline
Did you find any solution to this? I just got new laptop. I joined it to Active Directory and everything worked smoothly. The only difference to wiki was that I had to enable smbd, nmbd and winbindd, not samba. Samba said in the logs that the service is only needed when you run the computer as domain controller.
When I rebooted, kdm didn't start. It just showed that "x" in the screen. I couldn't log in even as a local user. Only thing that worked was logging in as root. A couple of times I was able to get kdm starting in about 5-15 minutes after booting up. However, I couldn't log in from kdm. When trying with domain user, it got stuck after giving user name. I never reached password field. When trying with local user I was able to give credentials but I couldn't see any of those "loading icons". It just loaded a while and then returned to the kdm.
I tried to search logs but all they contain is a line "permission denied" when I've tried to log in from kdm with a local user. Now I've removed the packages and returned original config files and everything works normally with local user.
My next step will be to try sssd. I'm not sure whether it will be any different but maybe I learn something new in the process.
Offline
Sorry. I don't know whether it is just kdm, but I could only get it working after login or automatically if I booted to console. I ended up using davmail to relay contacts, calendar, and mail and autofs for network mounts.
Offline
I think I found the solution. I've been using this now for about two weeks and it has worked almost flawlessly this far. The only glitch I've noticed is that sometimes KDE hangs for five seconds or so but I'm not sure if it's btrfs, kde, samba or what. I copied these from my previous openSuSE installation and modified them a bit.
/etc/security/pam_winbind.conf
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
krb5_auth = yes
krb5_ccache_type = FILE
cached_login = yes
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no/etc/samba/smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = DOMAIN
password server = 10.x.x.x
realm = DOMAIN.COM
security = ADS
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
template homedir = /home/%D/%U
winbind refresh tickets = yes
template shell = /bin/bash
winbind offline logon = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775/etc/pam.d/login
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so
auth required pam_winbind.so use_first_pass
account requisite pam_unix.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass
password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix.so
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so
session optional pam_umask.so
session optional pam_systemd.so/etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so
auth required pam_winbind.so use_first_pass
account requisite pam_unix.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass
password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix.so
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so
session optional pam_umask.so
session optional pam_systemd.soAs you can see, the last two are identical. I'm still reading the PAM documentation in order to understand why this works, so I discourage everyone to just copy paste it.
Offline
This is amazing, if you did it. It no longer applies to me but I'm glad someone got it working!
Offline