Connect with an AD user to a ubuntu Machine
up vote
1
down vote
favorite
I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "
My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g
Furthermore,i visualize the user from AC
id jn
uid=10019(jn) gid=10002(utilisateurs du domaine) ....
cat /etc/samba/smb.conf
[global]
workgroup = AAA
realm = AAA.LOCAL
netbios name = ubuntu
security = ads
encrypt passwords = yes
password server = XXX.XXX.XXX
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template homedir = /data/commun
cat /etc/krb5.conf
[libdefaults]
default_realm = AAA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticker_lifetile = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
PA8.LOCAL = {
kdc = XXX.XXX.XXX
admin_server = XXX.XXX.XXX
default_domain = AAA.LOCAL
}
[domain_realm]
.XXX.local = XXX.LOCAL
XXX.local = XXX.LOCAL
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account sufficient pam_unix.so
cat /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
cat /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine
Thank you for you help.
samba pam active-directory kerberos
add a comment |
up vote
1
down vote
favorite
I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "
My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g
Furthermore,i visualize the user from AC
id jn
uid=10019(jn) gid=10002(utilisateurs du domaine) ....
cat /etc/samba/smb.conf
[global]
workgroup = AAA
realm = AAA.LOCAL
netbios name = ubuntu
security = ads
encrypt passwords = yes
password server = XXX.XXX.XXX
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template homedir = /data/commun
cat /etc/krb5.conf
[libdefaults]
default_realm = AAA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticker_lifetile = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
PA8.LOCAL = {
kdc = XXX.XXX.XXX
admin_server = XXX.XXX.XXX
default_domain = AAA.LOCAL
}
[domain_realm]
.XXX.local = XXX.LOCAL
XXX.local = XXX.LOCAL
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account sufficient pam_unix.so
cat /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
cat /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine
Thank you for you help.
samba pam active-directory kerberos
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "
My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g
Furthermore,i visualize the user from AC
id jn
uid=10019(jn) gid=10002(utilisateurs du domaine) ....
cat /etc/samba/smb.conf
[global]
workgroup = AAA
realm = AAA.LOCAL
netbios name = ubuntu
security = ads
encrypt passwords = yes
password server = XXX.XXX.XXX
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template homedir = /data/commun
cat /etc/krb5.conf
[libdefaults]
default_realm = AAA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticker_lifetile = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
PA8.LOCAL = {
kdc = XXX.XXX.XXX
admin_server = XXX.XXX.XXX
default_domain = AAA.LOCAL
}
[domain_realm]
.XXX.local = XXX.LOCAL
XXX.local = XXX.LOCAL
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account sufficient pam_unix.so
cat /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
cat /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine
Thank you for you help.
samba pam active-directory kerberos
I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "
My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g
Furthermore,i visualize the user from AC
id jn
uid=10019(jn) gid=10002(utilisateurs du domaine) ....
cat /etc/samba/smb.conf
[global]
workgroup = AAA
realm = AAA.LOCAL
netbios name = ubuntu
security = ads
encrypt passwords = yes
password server = XXX.XXX.XXX
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
template homedir = /data/commun
cat /etc/krb5.conf
[libdefaults]
default_realm = AAA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticker_lifetile = 24h
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
PA8.LOCAL = {
kdc = XXX.XXX.XXX
admin_server = XXX.XXX.XXX
default_domain = AAA.LOCAL
}
[domain_realm]
.XXX.local = XXX.LOCAL
XXX.local = XXX.LOCAL
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account sufficient pam_unix.so
cat /etc/pam.d/common-auth
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
cat /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine
Thank you for you help.
samba pam active-directory kerberos
samba pam active-directory kerberos
asked Feb 13 '16 at 9:44
mamaka
61
61
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!
Have you tried sssd
? I'm doing this without winbind
.
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = MBA.AC.UK
[domain/MBA.AC.UK]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
/etc/krb5.conf didn't require anything other than the Default realm specified in
sudo dpkg-reconfigure krb5-config
smb.conf is unchanged (I mount user shares via libpam_mount
--which, however, I can tell you up front will screw with lightdm
. Perhaps pam / ad issue with lightdm would help with that.)
I don't think I modified any of the /etc/pam.d/
files beyond the auto-configuration when sssd
was installed.
/etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!
Have you tried sssd
? I'm doing this without winbind
.
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = MBA.AC.UK
[domain/MBA.AC.UK]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
/etc/krb5.conf didn't require anything other than the Default realm specified in
sudo dpkg-reconfigure krb5-config
smb.conf is unchanged (I mount user shares via libpam_mount
--which, however, I can tell you up front will screw with lightdm
. Perhaps pam / ad issue with lightdm would help with that.)
I don't think I modified any of the /etc/pam.d/
files beyond the auto-configuration when sssd
was installed.
/etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
add a comment |
up vote
0
down vote
I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!
Have you tried sssd
? I'm doing this without winbind
.
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = MBA.AC.UK
[domain/MBA.AC.UK]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
/etc/krb5.conf didn't require anything other than the Default realm specified in
sudo dpkg-reconfigure krb5-config
smb.conf is unchanged (I mount user shares via libpam_mount
--which, however, I can tell you up front will screw with lightdm
. Perhaps pam / ad issue with lightdm would help with that.)
I don't think I modified any of the /etc/pam.d/
files beyond the auto-configuration when sssd
was installed.
/etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
add a comment |
up vote
0
down vote
up vote
0
down vote
I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!
Have you tried sssd
? I'm doing this without winbind
.
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = MBA.AC.UK
[domain/MBA.AC.UK]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
/etc/krb5.conf didn't require anything other than the Default realm specified in
sudo dpkg-reconfigure krb5-config
smb.conf is unchanged (I mount user shares via libpam_mount
--which, however, I can tell you up front will screw with lightdm
. Perhaps pam / ad issue with lightdm would help with that.)
I don't think I modified any of the /etc/pam.d/
files beyond the auto-configuration when sssd
was installed.
/etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!
Have you tried sssd
? I'm doing this without winbind
.
/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = MBA.AC.UK
[domain/MBA.AC.UK]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
default_shell = /bin/bash
/etc/krb5.conf didn't require anything other than the Default realm specified in
sudo dpkg-reconfigure krb5-config
smb.conf is unchanged (I mount user shares via libpam_mount
--which, however, I can tell you up front will screw with lightdm
. Perhaps pam / ad issue with lightdm would help with that.)
I don't think I modified any of the /etc/pam.d/
files beyond the auto-configuration when sssd
was installed.
/etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_mount.so
auth optional pam_cap.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_mkhomedir.so
answered Nov 27 at 12:19
Auspex
363210
363210
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f733083%2fconnect-with-an-ad-user-to-a-ubuntu-machine%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown