Thursday, May 10, 2007

Longhorn server and Ubuntu Active Directory Authentication


Longhorn server and Ubuntu do they still play together?

The best feature of Samba is being able to join an Active Directory domain and authenticate against for desktop logins, web applications and almost anything else you can think of that requires a user name and password. In the past I have used the Winbind authentication for email over POPS and IMAPS and found the features to be fantastic for any business that operates in a heterogeneous environment.

Microsoft have just released Longhorn Server Beta 3 which offers a fairly big change from previous windows server versions in the way it approaches network management with a large focus on role based servers. There real question however is can linux boxes still join and authenticate against Active Directory domains running at Native Longhorn Server levels. Well the answer a non surprising NO!

I spent around 8 hours trying to get this to work based on previous working configurations that I had for windows 2003 nothing worked at all

Below is a quick look at the configuration that I had which failed to work

I started with a stock standard Ubuntu 7.04 install and a base install of Longhorn Server beta 3 you can review my configurations below. Based on what I have found I believe that Microsoft have changed some major parts of Kerberos since the standard encryption for windows didn’t work. When I changed this to Auto negioation I was able to get a ticket however when I attempted to add the computer to the domain I continued to get different Kerberos errors.

#first step

odin749@odin749:~$ sudo su -

Password:

root@odin749:~# apt-get update

root@odin749:~# apt-get dist-upgrade

#enable remote login

root@odin749:~# apt-get install ssh

#Install Samba

root@odin749:~# apt-get install samba

#Install Winbind

root@odin749:~# apt-get install winbind

#Install Kerboras

root@odin749:~# apt-get install krb5-clients krb5-user

#CONFIGURE KRB5

root@odin749:~# vi /etc/krb5.conf

[logging]

default = FILE10000:/var/log/krb5lib.log

[libdefaults]

ticket_lifetime = 24000

default_realm = ASTECH.COM

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

ASTECH.COM = {

kdc = thor.astech.com

admin_server = thor.astech.com

default_domain = ASTECH.COM

}

[domain_realm]

.astech.com = ASTECH.COM

astech.com = ASTECH.COM

#CONFIGURE SAMBA

root@odin749:~# vi /etc/samba/smb.conf

[global]

workgroup = ASGUARD

realm = ASGUARD.COM

security = ADS

password server = thor.asguard.com

domain master = No

idmap uid = 500-1000

idmap gid = 500-1000

template shell = /bin/bash

winbind separator = +

winbind use default domain = Yes

root@odin749:~# testparm

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.

'winbind separator = +' might cause problems with group membership.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

#CONFIGURE NSSWITCH

root@odin749:~# vi /etc/nsswitch.conf

passwd: compat winbind

group: compat winbind

shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis

#CONFIGURE PAM

root@odin749:~# vi /etc/pam.d/common-account

account sufficient pam_winbind.so

account required pam_unix.so

root@odin749:~# vi /etc/pam.d/common-auth

auth sufficient pam_winbind.so

auth required pam_unix.so nullok_secure use_first_pass

root@odin749:~# vi /etc/pam.d/common-password

password required pam_unix.so nullok obscure min=4 max=50 md5

root@odin749:~# vi /etc/pam.d/common-session

session required pam_makehomedir.so umask=0022 skel=/ect/skel

session required pam_unix.so

session optional pam_foreground.so

#MAKE HOME DIR

root@odin749:~# mkdir /home/ASTECH

#ADD KERBROS REALM

root@odin749:~# kinit administrator@ASTECH.COM

kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

#DNS WRONG

#ENCRIPTION TYPE WONG

root@odin749:~# kinit administrator@ASTECH.COM

kinit(v5): KDC has no support for encryption type while getting initial credentials

root@odin749:~# vi /etc/krb5.conf

[logging]

default = FILE10000:/var/log/krb5lib.log

[libdefaults]

default_realm = ASTECH.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

ASTECH.COM = {

kdc = thor.astech.com

admin_server = thor.astech.com

default_domain = ASTECH.COM

}

[domain_realm]

.astech.com = ASTECH.COM

astech.com = ASTECH.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

root@odin749:/var/log# kinit administrator@ASTECH.COM

Password for administrator@ASTECH.COM:

kinit(v5): Clock skew too great while getting initial credentials

root@odin749:/var/log# kinit administrator@ASTECH.COM

Password for administrator@ASTECH.COM:

root@odin749:/var/log#

root@odin749:/var/log# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@ASTECH.COM

Valid starting Expires Service principal

05/04/07 23:59:09 05/05/07 09:59:02 krbtgt/ASTECH.COM@ASTECH.COM

renew until 05/05/07 23:59:09

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

root@odin749:/var/log# net ads join -U administrator@astech.com

administrator@astech.com's password:

[2007/05/05 00:01:22, 0] utils/net_ads.c:ads_startup(289)

ads_connect: No such file or directory

11 comments:

Brian said...

Microsoft does its best to reinvent the wheel (aka improve its service) to keep at bay competitors by making them incompatible with its OS. I would suggest waiting some time until the dust settles.

Victor Rafael Rivarola (FANÁTICO y LOCO por Cristo) said...

This reminds me...Windows ain't done until Lotus won't run.

Its amazing how different things are from the good old DOS 5/Widows 3.0 days...NOT IN THIS CASE!!!

odin749 said...

Thanks of the comments brian and victor. I do believe that the good people over at Samba will have these problems fixed shortly as it is only minor kerberos changes.

Gerald Carter said...

Yup. We'll fix this for the Samba 3.0.26 release if not before.

odin749 said...

Gerald

Thanks for the update I look forward to testing the new version of Samba once this is done.

Thanks

Odin749

aiyipianni said...

Aston Villa rode their luck at Hull City where an 88-minute own goal from Kamil Zayatte saw them leapfrog three points clear of Arsenal and into fourth place in the Premier League wow gold with a 1-0 win.

Villa had to survive Hull penalty wotlk gold appeals for a handball against Ashley Young in time added on, television replays showing that referee Steve Bennett wow gold correctly rejected the claims after consulting a linesman.

Bennett had been involved in controversy after just five minutes when American goalkeeper Brad Friedel looked to have handed Hull the initiative and threaten Villa's return to the Champions League qualifying wow gold zone.

Friedel spilled the ball under pressure from wow gold Nick Barmby and stand-in right-back Nigel Reo-Coker turned it into his own net as he attempted to wow gold clear.

But Bennett cut short celebrations at the KC Stadium -- and let Friedel off the hook -- when he ruled out the score for an wow wotlkapparent infringement by Barmby.

Zayatte's intervention from a Young cross bound for wow gold Gabriel Agbonlahor then saw Villa leapfrog Arsenal and draw level with Manchester United on 38 points -- seven adrift of leaders Liverpool and four wow gold behind Chelsea.

Stung by an on-pitch dressing down wow gold by manager Phil Brown at Manchester City last week, Hull showed five changes and a vastly improved performance.

Promoted Hull were looking for only their second win in 11 games while wow gold Villa arrived unbeaten in seven and it looked to be heading for a goalless draw when the home side suffered a cruel late blow.

aiyipianni said...

South Africa inflicted the first home series defeat on Australia in almost 16 years as they wrapped up a nine-wicket win over the world's number one ranked world of warcraft gold Test nation in Melbourne on Tuesday.

Captain Graeme Smith wow power leveling hit a fluent 75 as his side successfully passed a world of warcraft gold modest victory target of 183 on the final day at the MCG to take an wow powerleveling unassailable 2-0 lead.

It was the South African's first-ever Test series triumph in Australia and dofus kamas victory in the third and final match in Sydney will see them leapfrog the home side at the top of the global rankings.

Hashim Amla (30 not out) scored the winning runs shortly after lunch as South Africa became the first team to overcome Australia at home since the West Indies in 1992-93.

South Africa were never under any pressure in their run chase and did not lose a wicket until just before lunch when the inspirational Smith Lord of the Rings Online Gold was trapped leg before wicket by Nathan LOTRO Gold Hauritz.

Smith had flyff penya dominated a 121-run opening stand flyff money with Neil McKenzie, hitting ffxi gil 10 boundaries.

McKenzie struggled to buy ffxi gil a half century and survived strong eq2 plat lbw shouts from Brett Lee, eq2 gold who was bowling despite an injured foot that will Lord of the Rings Online gold keep him out of the Sydney Test.

South Africa's LOTRO gold victory was set up by a brilliant maiden Test century fly for fun penya from JP Duminy, who shared a stunning flyff penya 180-run ninth wicket partnership with pace bowler Dale Final Fantasy XI gil Steyn.

It gave the tourists ffxi gil a priceless 65-run lead on first innings before man of eq2 plat the match Steyn worked his magic with the ball as Australia were eq2 gold bowled out on the fourth day for 247 in their second innings.

The pugnacious Smith was virtually runescape money lost for words in his victory speech.

"It has been such a special moment runescape gold for all of us, it has been an incredible team effort," he said.

"I have been smiling non-stop wow po since we hit the winning runs.

"To be 2-0 up after this game was something wow or we only dreamt of."

South Africa won the first Test in Perth from an unlikely position, chasing 414 for victory for the loss of only four wickets.

gfutfy said...

If you are looking wow power leveling, buy wow gold,warcraft gold as well as WOW Power Leveling and World Of wow levelingWhen you need someone to listen,FFXI Gil, I'll be there. When you need a hug, cheap FFXI Gil,I'll be there. When you need someone to hold your hand, I'll be there. When you need someone to wipe your tears, guess what? I'll be there. William Shakespeare

wowgoldme said...

buy wow gold,cheap wow gold,world of warcrft gold.

buy wow gold said...

When Wow Gold wolf finally found the wow gold cheap hole in the chimney he crawled cheap wow gold down and KERSPLASH right into that kettle of water and that was cheapest wow gold the end of his troubles with the big bad wolf.
game4power.
The next day the Buy Wow Goldlittle pig invited hisbuy gold wow mother over . She said "You see it is just as mygamegoldI told you. The way to get along in the world is to do world of warcraft gold things as well as you can." Fortunately for that little pig, he buy cheap wow gold learned that lesson. And he just k4gold lived happily ever after!.

said...

wow gold
wow gold
eve isk
wow power leveling
wow power leveling
wow power leveling
wow power leveling
warhammer gold
warhammer power leveling
bestchina traveland
uggsor
ghd straighteners

Cardi Ugg Boots
Classic Short Ugg Boots

Classic Tall Ugg Boots
Metallic Ugg Boots

Mini Ugg Boots
Sundance Ugg Boots

tiffany Jewelry