Cfxtrjtrk

I try to log on under a ubuntu machine with an AD user via the GUI lightdm , but access is denied with "invalid password , please try again "

My machine has been added in the AD : net ads join -U administrator, I visualize the users and groups with wbinfo -u and wbinfo -g

Furthermore,i visualize the user from AC

  id jn

   uid=10019(jn) gid=10002(utilisateurs du domaine) ....                 

cat /etc/samba/smb.conf

[global]

workgroup = AAA

realm = AAA.LOCAL

netbios name = ubuntu

security = ads

encrypt passwords = yes

password server = XXX.XXX.XXX

idmap uid = 10000-20000

idmap gid = 10000-20000 

winbind enum groups = yes

winbind enum users = yes

winbind use default domain = yes

template homedir = /data/commun

cat /etc/krb5.conf

[libdefaults]

default_realm = AAA.LOCAL

dns_lookup_realm = false

dns_lookup_kdc = true

ticker_lifetile = 24h

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5

default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-md5

permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc-md5



krb4_config = /etc/krb.conf

krb4_realms = /etc/krb.realms

kdc_timesync = 1

ccache_type = 4

forwardable = true

proxiable = true



[realms]

PA8.LOCAL = {

kdc = XXX.XXX.XXX

admin_server = XXX.XXX.XXX

default_domain = AAA.LOCAL

 }



 [domain_realm]

.XXX.local = XXX.LOCAL

 XXX.local = XXX.LOCAL   

cat /etc/pam.d/common-account

account sufficient      pam_winbind.so

account sufficient      pam_unix.so

cat /etc/pam.d/common-auth

auth sufficient pam_winbind.so

auth sufficient pam_unix.so nullok_secure use_first_pass

auth required pam_deny.so

cat /etc/pam.d/common-session

session required pam_unix.so

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

So, i don't know where is the the problem, why i can't to connect a user from AD in ubuntu's machine

Thank you for you help.

I know this is an old question. But it seems better to provide an answer to an old question than ask one myself just to answer it with what I finally got working!

Have you tried sssd? I'm doing this without winbind.

/etc/sssd/sssd.conf

[sssd]

services = nss, pam

config_file_version = 2

domains = MBA.AC.UK



[domain/MBA.AC.UK]

id_provider = ad

access_provider = ad



override_homedir = /home/%d/%u

default_shell = /bin/bash

/etc/krb5.conf didn't require anything other than the Default realm specified in

sudo dpkg-reconfigure krb5-config

smb.conf is unchanged (I mount user shares via libpam_mount--which, however, I can tell you up front will screw with lightdm. Perhaps pam / ad issue with lightdm would help with that.)

I don't think I modified any of the /etc/pam.d/ files beyond the auto-configuration when sssd was installed.

/etc/pam.d/common-account

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 

account requisite                       pam_deny.so

account required                        pam_permit.so

account sufficient                      pam_localuser.so 

account [default=bad success=ok user_unknown=ignore]    pam_sss.so

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure

auth    [success=1 default=ignore]      pam_sss.so use_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so

auth    optional        pam_mount.so 

auth    optional                        pam_cap.so 

/etc/pam.d/common-session

session [default=1]                     pam_permit.so

session requisite                       pam_deny.so

session required                        pam_permit.so

session optional                        pam_umask.so

session required        pam_unix.so 

session optional                        pam_sss.so 

session optional        pam_mount.so 

session optional        pam_systemd.so 

session optional                        pam_mkhomedir.so