PDA

View Full Version : SLED/GDM does not show the Menue to logging in on AD Domain



sharfuddin
22-May-2014, 18:21
sled11 SP3 + online updates.

via YaST, this sled11 sp3 box, joins MS Active Directory Domain without any issue, but does not provide option to logging in to an MS AD Domain, i.e GNOME/GDM does not show DOMAIN menu.

Also in the same environment we had previously joined several other SP2/SP3 boxes, and GNOME always provide the option to logging in on Domain, but these sled boxes(GNOME/GDM) does not.

here is the /etc/krb5.conf


[libdefaults]
default_realm = MS-AD-DOMAIN.COM
clockskew = 300
[domain_realm]
.ms-ad-domain.com = MS-AD-DOMAIN.COM
[realms]
MS-AD-DOMAIN.COM = {
kdc = dc1.ms-ad-domain.com
default_domain = ms-ad-domain.com
admin_server = dc1.ms-ad-domain.com
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}


/etc/samba/smb.conf


# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2013-05-28
[global]
workgroup = MS-AD-DOMAIN
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = MS-AD-DOMAIN.COM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
kerberos method = secrets and keytab
winbind refresh tickets = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775


Please help asap

mikewillis
22-May-2014, 21:10
i.e GNOME/GDM does not show DOMAIN menu.


When you say 'DOMAIN menu' I think you mean the thing I've crudely circled in red as shown at http://paste.opensuse.org/83788460

Is that what you mean and you're saying it's not there? In my experience that's there all the time regardless of whether the machine is joined to a Domain or not.

You say you say you have other SLED machines in the same environment that are working as expected. The obvious place to start seems to be to compare the configuration of a machine which doesn't work how you want with one that does. There is presumably a difference somewhere.

On a tangential note, it sounds like you might be trying to set up a bunch of machines to work identically but you're configuring each machine manually (you say 'via YaST'). Is that the case?

sharfuddin
26-May-2014, 05:50
sorry I miss-guided. SLED shows the DOMAIN menu, but that menu does not contain the MS-AD-DOMAIN to log on.



You say you say you have other SLED machines in the same environment that are working as expected. The obvious place to start seems to be to compare the configuration of a machine which doesn't work how you want with one that does. There is presumably a difference somewhere.

Yes, I copied the /var/lib/samba/krb5.MS-AD-DOMAIN from those machines that shows the MS-AD-DOMAIN in the DOMAIN menu, and then restart sled box, and then got the
MS-AD-DOMAIN in the DOMAIN list. But now I am getting the "User not known to underlying authentication module" error, when trying to logon on the MS-AD-DOMAIN.



On a tangential note, it sounds like you might be trying to set up a bunch of machines to work identically but you're configuring each machine manually (you say 'via YaST'). Is that the case?
Yes.

mikewillis
27-May-2014, 08:40
Well it's a long time since I connected a machine to an Active Directory Domain and am not currently in a position to try it, bit check /etc/nsswitch.conf and PAM configuration in /etc/pam.d/ on a machine which works vs one which doesn't.



You may want to look at automating the installation and configuration of machines using AutoYAST and/or using something like puppet to manage configuration on deployed machines. Or even just scripting the desired configuration. Failing that you should at least have very clear documentation that tells people how to configure machines manually.