I did a fresh install of Debian with the desktop. I know from Ubuntu that the network is handled differently in the desktop and the server versions. So, I am assuming it is a similar situation with Debian. I could be wrong but . . . When kerberos installs via the script it (the script) suggests accepting the 'defaults on the next three screens.' The first screen included the correct default entry but the second and third are blank and as instructed I accepted the 'blank' entries. I do not know if that has anything to do with my issue but, I thought I would point it out. When I test, samba is running and DNS test properly. When I 'net ads join -U Administrator at MYDOMAINNAME.LAN' the entry requests my Administrator password. When entered, the curser shifts to the next line and blinks. No connection. What do you need to know? --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [2] "Everyone deserves an award!!" On 2015-01-04 12:14, Rowland Penny wrote:> On 04/01/15 18:02, Bob of Donelson Trophy wrote: > >> I have seen mentioned in other posts that when joining a DC with your linux client there is a way to do it and NOT use Powerbroker Open (new name for Likewise-Open). Where do I find this procedure? > > OK, is basically here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [1] > > When you stop to think about it, what is a linux client? it is a member server without shares :-) > > It is very easy: > > Install samba and stop any samba services that start. > > edit /etc/samba/smb.conf > > [global] > workgroup = EXAMPLE > security = ADS > realm = EXAMPLE.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind normalize names = Yes > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config EXAMPLE : backend = ad > idmap config EXAMPLE : range = 10000-999999 > idmap config EXAMPLE:schema_mode = rfc2307 > printcap name = cups > cups options = raw > usershare allow guests = yes > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > username map = /etc/samba/smbmap > > create /etc/samba/smbmap > > !root = EXAMPLEAdministrator Administrator admionistrator > > edit /etc/krb5.conf > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > make sure that /etc/resolv.conf points to the AD DC, and dns is setup correctly. > > Then run this command: > > net ads join -U Administrator at EXAMPLE.COM > > Enter Administrators password when requested. > > edit /etc/nsswitch.conf > > add 'winbind' to passwd & group lines > > start samba services > > RowlandLinks: ------ [1] https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [2] http://www.donelsontrophy.com
On 05/01/15 01:37, Bob of Donelson Trophy wrote:> > > I did a fresh install of Debian with the desktop. I know from Ubuntu > that the network is handled differently in the desktop and the server > versions. So, I am assuming it is a similar situation with Debian. I > could be wrong but . . . > > When kerberos installs via the script it (the script) suggests accepting > the 'defaults on the next three screens.' The first screen included the > correct default entry but the second and third are blank and as > instructed I accepted the 'blank' entries.Yes, that is what happens, you need to set /etc/krb5.conf to this: [libdefaults] default_realm = MYDOMAINNAME.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes Rowland> > I do not know if that has anything to do with my issue but, I thought I > would point it out. > > When I test, samba is running and DNS test properly. > > When I 'net ads join -U Administrator at MYDOMAINNAME.LAN' the entry > requests my Administrator password. When entered, the curser shifts to > the next line and blinks. No connection. > > What do you need to know? > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [2] > > "Everyone deserves an award!!" > > On 2015-01-04 12:14, Rowland Penny wrote: > >> On 04/01/15 18:02, Bob of Donelson Trophy wrote: >> >>> I have seen mentioned in other posts that when joining a DC with your linux client there is a way to do it and NOT use Powerbroker Open (new name for Likewise-Open). Where do I find this procedure? >> OK, is basically here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server [1] >> >> When you stop to think about it, what is a linux client? it is a member server without shares :-) >> >> It is very easy: >> >> Install samba and stop any samba services that start. >> >> edit /etc/samba/smb.conf >> >> [global] >> workgroup = EXAMPLE >> security = ADS >> realm = EXAMPLE.COM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config EXAMPLE : backend = ad >> idmap config EXAMPLE : range = 10000-999999 >> idmap config EXAMPLE:schema_mode = rfc2307 >> printcap name = cups >> cups options = raw >> usershare allow guests = yes >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> username map = /etc/samba/smbmap >> >> create /etc/samba/smbmap >> >> !root = EXAMPLEAdministrator Administrator admionistrator >> >> edit /etc/krb5.conf >> >> [libdefaults] >> default_realm = EXAMPLE.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> make sure that /etc/resolv.conf points to the AD DC, and dns is setup correctly. >> >> Then run this command: >> >> net ads join -U Administrator at EXAMPLE.COM >> >> Enter Administrators password when requested. >> >> edit /etc/nsswitch.conf >> >> add 'winbind' to passwd & group lines >> >> start samba services >> >> Rowland > > > Links: > ------ > [1] https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > [2] http://www.donelsontrophy.com
My shop is 10 minutes from my house. House and shop are connected by vpn (between two IpFire firewalls.) I do a lot of configuring and testing from home. Due to a Windows wake-on-lan issue (right now) I cannot wake the lone DC W7 client from home. When I get to work this morning, W7 client (thru ADUC) shows 'dtclient01' is connected to DC. Further testing (wbinfo, testjoin, etc.) shows 'dtclient01' is connected to DC. So, it's connected. more info as I collect it but, for now, I am connected. So, now the question becomes how to connect shares to 'dtclient01'? (Maybe this needs to become a new thread?) --- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-01-05 07:16, Rowland Penny wrote:> On 05/01/15 12:57, Bob of Donelson Trophy wrote: > >> This is my current krb5.conf file: root at dtclient01:~# cat /etc/krb5.conf [libdefaults] default_realm = DTSHRM.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes This is my current /etc/resolv.conf file. As I read, this should be "pointing" to my DC (192.168.16.54 in my case.) Is this correct? (The same thing a windows client requires, looking to the DC to resolve it's name?) root at dtclient01:~# cat /etc/resolv.conf # Generated by NetworkManager search dtshrm.lan nameserver 192.168.16.54 It might be saying this poorly so, I hope you get the idea. Thanks. > > Hmm, everything looks OK, is samba running ? if so stop it. > Does /etc/krb5.keytab exist, if so delete it. > Is the firewall running, if so, try stopping it temporarily. > is Apparmor or Selinux running, if so, disable it temporarily. > > RowlandLinks: ------ [1] http://www.donelsontrophy.com
On 05/01/15 14:04, Bob of Donelson Trophy wrote:> > > My shop is 10 minutes from my house. House and shop are connected by vpn > (between two IpFire firewalls.) I do a lot of configuring and testing > from home. Due to a Windows wake-on-lan issue (right now) I cannot wake > the lone DC W7 client from home. When I get to work this morning, W7 > client (thru ADUC) shows 'dtclient01' is connected to DC. Further > testing (wbinfo, testjoin, etc.) shows 'dtclient01' is connected to DC. > > So, it's connected. more info as I collect it but, for now, I am > connected. > > So, now the question becomes how to connect shares to 'dtclient01'? > > (Maybe this needs to become a new thread?) > > --- > > ------------------------- > > Bob Wooden of Donelson Trophy > > 615.885.2846 (main) > www.donelsontrophy.com [1] > > "Everyone deserves an award!!" > > On 2015-01-05 07:16, Rowland Penny wrote: > >> On 05/01/15 12:57, Bob of Donelson Trophy wrote: >> >>> This is my current krb5.conf file: root at dtclient01:~# cat /etc/krb5.conf [libdefaults] default_realm = DTSHRM.LAN dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes This is my current /etc/resolv.conf file. As I read, this should be "pointing" to my DC (192.168.16.54 in my case.) Is this correct? (The same thing a windows client requires, looking to the DC to resolve it's name?) root at dtclient01:~# cat /etc/resolv.conf # Generated by NetworkManager search dtshrm.lan nameserver 192.168.16.54 It might be saying this poorly so, I hope you get the idea. Thanks. >> Hmm, everything looks OK, is samba running ? if so stop it. >> Does /etc/krb5.keytab exist, if so delete it. >> Is the firewall running, if so, try stopping it temporarily. >> is Apparmor or Selinux running, if so, disable it temporarily. >> >> Rowland > > > Links: > ------ > [1] http://www.donelsontrophy.comHi there appears to be a wiki page for that :-) https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD Rowland