Connect with an AD user to a ubuntu Machine











up vote
1
down vote

favorite
1












I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "



My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g



Furthermore,i visualize the user from AC



  id jn
uid=10019(jn) gid=10002(utilisateurs du domaine) ....


cat /etc/samba/smb.conf



[global]
workgroup = AAA
realm = AAA.LOCAL
netbios name = ubuntu
security = ads
encrypt passwords = yes
password server = XXX.XXX.XXX
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template homedir = /data/commun


cat /etc/krb5.conf



[libdefaults]
default_realm = AAA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticker_lifetile = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5

krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
PA8.LOCAL = {
kdc = XXX.XXX.XXX
admin_server = XXX.XXX.XXX
default_domain = AAA.LOCAL
}

[domain_realm]
.XXX.local = XXX.LOCAL
XXX.local = XXX.LOCAL


cat /etc/pam.d/common-account



account sufficient      pam_winbind.so
account sufficient pam_unix.so


cat /etc/pam.d/common-auth



auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so


cat /etc/pam.d/common-session



session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel


So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine



Thank you for you help.










share|improve this question


























    up vote
    1
    down vote

    favorite
    1












    I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "



    My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g



    Furthermore,i visualize the user from AC



      id jn
    uid=10019(jn) gid=10002(utilisateurs du domaine) ....


    cat /etc/samba/smb.conf



    [global]
    workgroup = AAA
    realm = AAA.LOCAL
    netbios name = ubuntu
    security = ads
    encrypt passwords = yes
    password server = XXX.XXX.XXX
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum groups = yes
    winbind enum users = yes
    winbind use default domain = yes
    template homedir = /data/commun


    cat /etc/krb5.conf



    [libdefaults]
    default_realm = AAA.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticker_lifetile = 24h
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5

    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

    [realms]
    PA8.LOCAL = {
    kdc = XXX.XXX.XXX
    admin_server = XXX.XXX.XXX
    default_domain = AAA.LOCAL
    }

    [domain_realm]
    .XXX.local = XXX.LOCAL
    XXX.local = XXX.LOCAL


    cat /etc/pam.d/common-account



    account sufficient      pam_winbind.so
    account sufficient pam_unix.so


    cat /etc/pam.d/common-auth



    auth sufficient pam_winbind.so
    auth sufficient pam_unix.so nullok_secure use_first_pass
    auth required pam_deny.so


    cat /etc/pam.d/common-session



    session required pam_unix.so
    session required pam_mkhomedir.so umask=0022 skel=/etc/skel


    So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine



    Thank you for you help.










    share|improve this question
























      up vote
      1
      down vote

      favorite
      1









      up vote
      1
      down vote

      favorite
      1






      1





      I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "



      My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g



      Furthermore,i visualize the user from AC



        id jn
      uid=10019(jn) gid=10002(utilisateurs du domaine) ....


      cat /etc/samba/smb.conf



      [global]
      workgroup = AAA
      realm = AAA.LOCAL
      netbios name = ubuntu
      security = ads
      encrypt passwords = yes
      password server = XXX.XXX.XXX
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      winbind enum groups = yes
      winbind enum users = yes
      winbind use default domain = yes
      template homedir = /data/commun


      cat /etc/krb5.conf



      [libdefaults]
      default_realm = AAA.LOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = true
      ticker_lifetile = 24h
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5

      krb4_config = /etc/krb.conf
      krb4_realms = /etc/krb.realms
      kdc_timesync = 1
      ccache_type = 4
      forwardable = true
      proxiable = true

      [realms]
      PA8.LOCAL = {
      kdc = XXX.XXX.XXX
      admin_server = XXX.XXX.XXX
      default_domain = AAA.LOCAL
      }

      [domain_realm]
      .XXX.local = XXX.LOCAL
      XXX.local = XXX.LOCAL


      cat /etc/pam.d/common-account



      account sufficient      pam_winbind.so
      account sufficient pam_unix.so


      cat /etc/pam.d/common-auth



      auth sufficient pam_winbind.so
      auth sufficient pam_unix.so nullok_secure use_first_pass
      auth required pam_deny.so


      cat /etc/pam.d/common-session



      session required pam_unix.so
      session required pam_mkhomedir.so umask=0022 skel=/etc/skel


      So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine



      Thank you for you help.










      share|improve this question













      I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "



      My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g



      Furthermore,i visualize the user from AC



        id jn
      uid=10019(jn) gid=10002(utilisateurs du domaine) ....


      cat /etc/samba/smb.conf



      [global]
      workgroup = AAA
      realm = AAA.LOCAL
      netbios name = ubuntu
      security = ads
      encrypt passwords = yes
      password server = XXX.XXX.XXX
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      winbind enum groups = yes
      winbind enum users = yes
      winbind use default domain = yes
      template homedir = /data/commun


      cat /etc/krb5.conf



      [libdefaults]
      default_realm = AAA.LOCAL
      dns_lookup_realm = false
      dns_lookup_kdc = true
      ticker_lifetile = 24h
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5

      krb4_config = /etc/krb.conf
      krb4_realms = /etc/krb.realms
      kdc_timesync = 1
      ccache_type = 4
      forwardable = true
      proxiable = true

      [realms]
      PA8.LOCAL = {
      kdc = XXX.XXX.XXX
      admin_server = XXX.XXX.XXX
      default_domain = AAA.LOCAL
      }

      [domain_realm]
      .XXX.local = XXX.LOCAL
      XXX.local = XXX.LOCAL


      cat /etc/pam.d/common-account



      account sufficient      pam_winbind.so
      account sufficient pam_unix.so


      cat /etc/pam.d/common-auth



      auth sufficient pam_winbind.so
      auth sufficient pam_unix.so nullok_secure use_first_pass
      auth required pam_deny.so


      cat /etc/pam.d/common-session



      session required pam_unix.so
      session required pam_mkhomedir.so umask=0022 skel=/etc/skel


      So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine



      Thank you for you help.







      samba pam active-directory kerberos






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 13 '16 at 9:44









      mamaka

      61




      61






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!



          Have you tried sssd? I'm doing this without winbind.



          /etc/sssd/sssd.conf



          [sssd]
          services = nss, pam
          config_file_version = 2
          domains = MBA.AC.UK

          [domain/MBA.AC.UK]
          id_provider = ad
          access_provider = ad

          override_homedir = /home/%d/%u
          default_shell = /bin/bash


          /etc/krb5.conf didn't require anything other than the Default realm specified in



          sudo dpkg-reconfigure krb5-config


          smb.conf is unchanged (I mount user shares via libpam_mount--which, however, I can tell you up front will screw with lightdm. Perhaps pam / ad issue with lightdm would help with that.)



          I don't think I modified any of the /etc/pam.d/ files beyond the auto-configuration when sssd was installed.



          /etc/pam.d/common-account



          account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
          account requisite pam_deny.so
          account required pam_permit.so
          account sufficient pam_localuser.so
          account [default=bad success=ok user_unknown=ignore] pam_sss.so


          /etc/pam.d/common-auth



          auth    [success=2 default=ignore]      pam_unix.so nullok_secure
          auth [success=1 default=ignore] pam_sss.so use_first_pass
          auth requisite pam_deny.so
          auth required pam_permit.so
          auth optional pam_mount.so
          auth optional pam_cap.so


          /etc/pam.d/common-session



          session [default=1]                     pam_permit.so
          session requisite pam_deny.so
          session required pam_permit.so
          session optional pam_umask.so
          session required pam_unix.so
          session optional pam_sss.so
          session optional pam_mount.so
          session optional pam_systemd.so
          session optional pam_mkhomedir.so





          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f733083%2fconnect-with-an-ad-user-to-a-ubuntu-machine%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!



            Have you tried sssd? I'm doing this without winbind.



            /etc/sssd/sssd.conf



            [sssd]
            services = nss, pam
            config_file_version = 2
            domains = MBA.AC.UK

            [domain/MBA.AC.UK]
            id_provider = ad
            access_provider = ad

            override_homedir = /home/%d/%u
            default_shell = /bin/bash


            /etc/krb5.conf didn't require anything other than the Default realm specified in



            sudo dpkg-reconfigure krb5-config


            smb.conf is unchanged (I mount user shares via libpam_mount--which, however, I can tell you up front will screw with lightdm. Perhaps pam / ad issue with lightdm would help with that.)



            I don't think I modified any of the /etc/pam.d/ files beyond the auto-configuration when sssd was installed.



            /etc/pam.d/common-account



            account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
            account requisite pam_deny.so
            account required pam_permit.so
            account sufficient pam_localuser.so
            account [default=bad success=ok user_unknown=ignore] pam_sss.so


            /etc/pam.d/common-auth



            auth    [success=2 default=ignore]      pam_unix.so nullok_secure
            auth [success=1 default=ignore] pam_sss.so use_first_pass
            auth requisite pam_deny.so
            auth required pam_permit.so
            auth optional pam_mount.so
            auth optional pam_cap.so


            /etc/pam.d/common-session



            session [default=1]                     pam_permit.so
            session requisite pam_deny.so
            session required pam_permit.so
            session optional pam_umask.so
            session required pam_unix.so
            session optional pam_sss.so
            session optional pam_mount.so
            session optional pam_systemd.so
            session optional pam_mkhomedir.so





            share|improve this answer

























              up vote
              0
              down vote













              I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!



              Have you tried sssd? I'm doing this without winbind.



              /etc/sssd/sssd.conf



              [sssd]
              services = nss, pam
              config_file_version = 2
              domains = MBA.AC.UK

              [domain/MBA.AC.UK]
              id_provider = ad
              access_provider = ad

              override_homedir = /home/%d/%u
              default_shell = /bin/bash


              /etc/krb5.conf didn't require anything other than the Default realm specified in



              sudo dpkg-reconfigure krb5-config


              smb.conf is unchanged (I mount user shares via libpam_mount--which, however, I can tell you up front will screw with lightdm. Perhaps pam / ad issue with lightdm would help with that.)



              I don't think I modified any of the /etc/pam.d/ files beyond the auto-configuration when sssd was installed.



              /etc/pam.d/common-account



              account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
              account requisite pam_deny.so
              account required pam_permit.so
              account sufficient pam_localuser.so
              account [default=bad success=ok user_unknown=ignore] pam_sss.so


              /etc/pam.d/common-auth



              auth    [success=2 default=ignore]      pam_unix.so nullok_secure
              auth [success=1 default=ignore] pam_sss.so use_first_pass
              auth requisite pam_deny.so
              auth required pam_permit.so
              auth optional pam_mount.so
              auth optional pam_cap.so


              /etc/pam.d/common-session



              session [default=1]                     pam_permit.so
              session requisite pam_deny.so
              session required pam_permit.so
              session optional pam_umask.so
              session required pam_unix.so
              session optional pam_sss.so
              session optional pam_mount.so
              session optional pam_systemd.so
              session optional pam_mkhomedir.so





              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!



                Have you tried sssd? I'm doing this without winbind.



                /etc/sssd/sssd.conf



                [sssd]
                services = nss, pam
                config_file_version = 2
                domains = MBA.AC.UK

                [domain/MBA.AC.UK]
                id_provider = ad
                access_provider = ad

                override_homedir = /home/%d/%u
                default_shell = /bin/bash


                /etc/krb5.conf didn't require anything other than the Default realm specified in



                sudo dpkg-reconfigure krb5-config


                smb.conf is unchanged (I mount user shares via libpam_mount--which, however, I can tell you up front will screw with lightdm. Perhaps pam / ad issue with lightdm would help with that.)



                I don't think I modified any of the /etc/pam.d/ files beyond the auto-configuration when sssd was installed.



                /etc/pam.d/common-account



                account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
                account requisite pam_deny.so
                account required pam_permit.so
                account sufficient pam_localuser.so
                account [default=bad success=ok user_unknown=ignore] pam_sss.so


                /etc/pam.d/common-auth



                auth    [success=2 default=ignore]      pam_unix.so nullok_secure
                auth [success=1 default=ignore] pam_sss.so use_first_pass
                auth requisite pam_deny.so
                auth required pam_permit.so
                auth optional pam_mount.so
                auth optional pam_cap.so


                /etc/pam.d/common-session



                session [default=1]                     pam_permit.so
                session requisite pam_deny.so
                session required pam_permit.so
                session optional pam_umask.so
                session required pam_unix.so
                session optional pam_sss.so
                session optional pam_mount.so
                session optional pam_systemd.so
                session optional pam_mkhomedir.so





                share|improve this answer












                I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!



                Have you tried sssd? I'm doing this without winbind.



                /etc/sssd/sssd.conf



                [sssd]
                services = nss, pam
                config_file_version = 2
                domains = MBA.AC.UK

                [domain/MBA.AC.UK]
                id_provider = ad
                access_provider = ad

                override_homedir = /home/%d/%u
                default_shell = /bin/bash


                /etc/krb5.conf didn't require anything other than the Default realm specified in



                sudo dpkg-reconfigure krb5-config


                smb.conf is unchanged (I mount user shares via libpam_mount--which, however, I can tell you up front will screw with lightdm. Perhaps pam / ad issue with lightdm would help with that.)



                I don't think I modified any of the /etc/pam.d/ files beyond the auto-configuration when sssd was installed.



                /etc/pam.d/common-account



                account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
                account requisite pam_deny.so
                account required pam_permit.so
                account sufficient pam_localuser.so
                account [default=bad success=ok user_unknown=ignore] pam_sss.so


                /etc/pam.d/common-auth



                auth    [success=2 default=ignore]      pam_unix.so nullok_secure
                auth [success=1 default=ignore] pam_sss.so use_first_pass
                auth requisite pam_deny.so
                auth required pam_permit.so
                auth optional pam_mount.so
                auth optional pam_cap.so


                /etc/pam.d/common-session



                session [default=1]                     pam_permit.so
                session requisite pam_deny.so
                session required pam_permit.so
                session optional pam_umask.so
                session required pam_unix.so
                session optional pam_sss.so
                session optional pam_mount.so
                session optional pam_systemd.so
                session optional pam_mkhomedir.so






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 27 at 12:19









                Auspex

                363210




                363210






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f733083%2fconnect-with-an-ad-user-to-a-ubuntu-machine%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    數位音樂下載

                    When can things happen in Etherscan, such as the picture below?

                    格利澤436b