Comments on: Linux-AD Integration with Windows Server 2008 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: Joe http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-52336 Joe Thu, 22 Dec 2011 22:03:17 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-52336 Thank you for this page Scott. I am so close to getting this working... kinit works, ldapsearch -x works, and if I create a local user with a username that corresponds to an AD user, I can login using the AD password. But no matter what iteration of config files I use, I cannot seem to get the machine to allow AD users to log in without having a corresponding local account. I have asked this question on a number of forums, but no one has yet been able to assist me with this. I know that you aren't working on this stuff anymore Scott. My hope is that someone reading this page will have had the same issue and be able to respond. Thank you for this page Scott. I am so close to getting this working… kinit works, ldapsearch -x works, and if I create a local user with a username that corresponds to an AD user, I can login using the AD password. But no matter what iteration of config files I use, I cannot seem to get the machine to allow AD users to log in without having a corresponding local account.

I have asked this question on a number of forums, but no one has yet been able to assist me with this. I know that you aren’t working on this stuff anymore Scott. My hope is that someone reading this page will have had the same issue and be able to respond.

]]> By: slowe http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-52010 slowe Sat, 12 Nov 2011 13:09:22 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-52010 Mc.SIM, I wish I could help but as I've mentioned to numerous others I haven't touched this stuff in about three years or so. I leave the comments open here just in case other readers are able to respond and assist. Good luck! Mc.SIM, I wish I could help but as I’ve mentioned to numerous others I haven’t touched this stuff in about three years or so. I leave the comments open here just in case other readers are able to respond and assist. Good luck!

]]> By: Mc.SIM http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-52005 Mc.SIM Fri, 11 Nov 2011 08:02:33 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-52005 after inserting in to file krb5.conf [libdefaults] ... default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac .... krb-ticket obtained: ARCHIV ~ # kinit -k -t /etc/krb5.keytab nfs/archiv.sag.local ARCHIV ~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/archiv.sag.local@SAG.LOCAL Valid starting Expires Service principal 11/11/11 11:48:25 11/11/11 21:48:30 krbtgt/SAG.LOCAL@SAG.LOCAL renew until 11/12/11 11:48:25 team getting keytab as follows: C:\Windows\system32>ktpass.exe /princ nfs/archiv.sag.local@SAG.LOCAL /mapuser SAG\nfs /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass 25121984 /out C:\tmp\archivkeytab Targeting domain controller: DC.sag.local Using legacy password setting method Successfully mapped nfs/archiv.sag.local to nfs. Key created. Key created. Key created. Key created. Key created. Output keytab to C:\tmp\archivkeytab: Keytab version: 0x502 keysize 57 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x153ea1290da8dc15) keysize 57 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x153ea1290da8dc15) keysize 65 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xff178150b60703459ae8cc430c5110cf) keysize 81 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x7773839c803615d65375c23cf10b54dde94bcf2d8e1 70045e9b2ce30898f3650) keysize 65 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0xe1389b7c72ce329d388ad32468c46f43) after inserting in to file krb5.conf
[libdefaults]

default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
….
krb-ticket obtained:
ARCHIV ~ # kinit -k -t /etc/krb5.keytab nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting Expires Service principal
11/11/11 11:48:25 11/11/11 21:48:30 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/12/11 11:48:25

team getting keytab as follows:

C:\Windows\system32>ktpass.exe /princ nfs/archiv.sag.local@SAG.LOCAL /mapuser SAG\nfs /crypto ALL /ptype KRB5_NT_PRINCIPAL /pass 25121984 /out C:\tmp\archivkeytab
Targeting domain controller: DC.sag.local
Using legacy password setting method
Successfully mapped nfs/archiv.sag.local to nfs.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to C:\tmp\archivkeytab:
Keytab version: 0×502 keysize 57 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0×1 (DES-CBC-CRC) keylength 8 (0x153ea1290da8dc15)
keysize 57 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0×3 (DES-CBC-MD5) keylength 8 (0x153ea1290da8dc15)
keysize 65 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0×17 (RC4-HMAC) keylength 16 (0xff178150b60703459ae8cc430c5110cf)
keysize 81 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0×12 (AES256-SHA1) keylength 32 (0x7773839c803615d65375c23cf10b54dde94bcf2d8e1
70045e9b2ce30898f3650)
keysize 65 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0×11 (AES128-SHA1) keylength 16 (0xe1389b7c72ce329d388ad32468c46f43)

]]> By: Mc.SIM http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-52000 Mc.SIM Thu, 10 Nov 2011 15:36:57 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-52000 Hello, Scott! I'm tired of fighting with Krebros))) I can not connect the Deb and AD on Win 2k8 R2 SP1 and get correct the keytab for NFS service. I would be very grateful for your help! I keep getting an error: root @ ubuntu: ~ # kinit-k-t /etc/krb5.keytab nfs/ubuntu.sag.local kinit: Key table entry not found while getting initial credentials keytab was created like this: C:\Windows\system32>ktpass.exe -princ nfs/ubuntu.sag.local@SAG.LOCAL -mapuser ubuntu -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass *** -out C:\tmp\ubunutukeytab Targeting domain controller: DC.sag.local Using legacy password setting method Successfully mapped nfs/ubuntu.sag.local to ubuntu. Key created. Output keytab to C:\tmp\ubunutukeytab: Keytab version: 0x502 keysize 65 nfs/ubuntu.sag.local@SAG.LOCAL ptype 1 KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xff178150b60703459ae8cc430c5110cf) "crypto" tried to specify ALL, but the result is negative. config krb5.conf: root@ubuntu:~# cat /etc/krb5.conf [libdefaults] default_realm = SAG.LOCAL allow_weak_crypto=false v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] SAG.LOCAL = { kdc = dc.sag.local admin_server = dc.sag.local default_domain = sag.local } [domain_realm] .sag.local = SAG.LOCAL sag.local = SAG.LOCAL [login] krb4_convert = true krb4_get_tickets = false Very very thank you if you help me! PS: sorry for my english Hello, Scott!
I’m tired of fighting with Krebros)))
I can not connect the Deb and AD on Win 2k8 R2 SP1 and get correct the keytab for NFS service.
I would be very grateful for your help!
I keep getting an error:

root @ ubuntu: ~ # kinit-k-t /etc/krb5.keytab nfs/ubuntu.sag.local
kinit: Key table entry not found while getting initial credentials

keytab was created like this:
C:\Windows\system32>ktpass.exe -princ nfs/ubuntu.sag.local@SAG.LOCAL -mapuser ubuntu -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass *** -out C:\tmp\ubunutukeytab
Targeting domain controller: DC.sag.local
Using legacy password setting method
Successfully mapped nfs/ubuntu.sag.local to ubuntu.
Key created.
Output keytab to C:\tmp\ubunutukeytab:
Keytab version: 0×502
keysize 65 nfs/ubuntu.sag.local@SAG.LOCAL ptype 1 KRB5_NT_PRINCIPAL) vno 3 etype 0×17 (RC4-HMAC) keylength 16 (0xff178150b60703459ae8cc430c5110cf)

“crypto” tried to specify ALL, but the result is negative.
config krb5.conf:

root@ubuntu:~# cat /etc/krb5.conf
[libdefaults]
default_realm = SAG.LOCAL
allow_weak_crypto=false

v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
SAG.LOCAL = {
kdc = dc.sag.local
admin_server = dc.sag.local
default_domain = sag.local
}

[domain_realm]
.sag.local = SAG.LOCAL
sag.local = SAG.LOCAL

[login]
krb4_convert = true
krb4_get_tickets = false

Very very thank you if you help me!

PS: sorry for my english

]]> By: Luigi http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-51865 Luigi Thu, 13 Oct 2011 12:02:55 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-51865 Hi, if i had only active directory user accounts, users logged in linux machines with their domain users... it is necessary to implement password synchronization? Hi, if i had only active directory user accounts, users logged in linux machines with their domain users… it is necessary to implement password synchronization?

]]> By: Ruuuuuubje http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-50839 Ruuuuuubje Mon, 16 May 2011 20:01:20 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-50839 for keytab information we used the microsoft page. http://technet.microsoft.com/en-us/library/cc753771(WS.10).aspx can be that it's not much but helped us on afther 30 mins of searching for keytab information we used the microsoft page.

http://technet.microsoft.com/en-us/library/cc753771(WS.10).aspx

can be that it’s not much but helped us on afther 30 mins of searching

]]> By: Greg Franklin http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-50451 Greg Franklin Thu, 17 Mar 2011 03:51:34 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-50451 Paul Pham did you ever get your solution to the fail over capabilities. I have been googling too, and havent figured it out yet. I have a windows only AD environment, and am authenticating users agains it on the linux side. I have it working great with only 1 DC, but have tried to get it to work with DC1 down and DC2 operating as primary DC. Still no luck. any input would be great. thanks, Greg Paul Pham did you ever get your solution to the fail over capabilities. I have been googling too, and havent figured it out yet. I have a windows only AD environment, and am authenticating users agains it on the linux side. I have it working great with only 1 DC, but have tried to get it to work with DC1 down and DC2 operating as primary DC. Still no luck.

any input would be great.

thanks,
Greg

]]> By: uzi http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-50426 uzi Mon, 07 Mar 2011 21:08:20 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-50426 Hi there, its fairly simple to train your users to use kpasswd to change the domain user password. It's also possible to make a desktop-shortcut to a shell with kpasswd startet. So you don't need ldap,pam ...what else.. only krb5, for password changes. greetz from germany Hi there,

its fairly simple to train your users to use kpasswd to change the domain user password. It’s also possible to make a desktop-shortcut to a shell with kpasswd startet.
So you don’t need ldap,pam …what else.. only krb5, for password changes.

greetz from germany

]]> By: clement http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-50246 clement Thu, 10 Feb 2011 14:07:08 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-50246 here's the complete configuration of a Linux Server using Samba as a second Domain Controller. The first DC is a Windows Server 2008. The communication between the DC is bidirectionnal ! http://www.clementhallet.be/?p=195 here’s the complete configuration of a Linux Server using Samba as a second Domain Controller. The first DC is a Windows Server 2008. The communication between the DC is bidirectionnal !
http://www.clementhallet.be/?p=195

]]> By: Paul Pham http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/comment-page-2/#comment-49081 Paul Pham Fri, 03 Sep 2010 22:26:16 +0000 http://blog.scottlowe.org/2007/07/09/linux-ad-integration-with-windows-server-2008/#comment-49081 For anyone who might be curious, it is possible for DCs to be discovered in RHEL. Simply omit any references to your DC in your ldap configurations, but keep the domain configurations. Outside of that, just make sure you've added the proper SRV records for all DCs (with appropriate priority configured). You can also add a SRV for kerberos admin interface to make your configuration completely dynamic (meaning no hardcoded hosts). For anyone who might be curious, it is possible for DCs to be discovered in RHEL. Simply omit any references to your DC in your ldap configurations, but keep the domain configurations. Outside of that, just make sure you’ve added the proper SRV records for all DCs (with appropriate priority configured). You can also add a SRV for kerberos admin interface to make your configuration completely dynamic (meaning no hardcoded hosts).

]]>