Comments on: CentOS 5 Active Directory Integration Problem http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/ The weblog of an IT pro specializing in virtualization, storage, and servers Sun, 05 Jul 2009 01:03:08 +0000 http://wordpress.org/?v=abc hourly 1 By: Stephane Brodeur http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-44030 Stephane Brodeur Mon, 30 Mar 2009 20:20:49 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-44030 I have similar problem, just would like to know what patch was applied to to the CentOS5.2 server. Thanks I have similar problem, just would like to know what patch was applied to to the CentOS5.2 server.

Thanks

]]> By: Tom http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-44028 Tom Mon, 30 Mar 2009 13:52:19 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-44028 I have got a different problem with it. I use CentOS 5.2 I went through all mentiined problems but.... I have 2 symstems on 1 PC. WinXP and CentOS 5.2 both are in a SBS Company domain. When I boot it up in Win XP once and next booted up in CentOS again I received Access Denied from the server. Domain Server NETLOGON: event ID: 5722 The session setup from the computer HPXX failed to authenticate. The name(s) of the account(s) referenced in the security database is HPXX$. The following error occurred: Access is denied Any clue? I have got a different problem with it. I use CentOS 5.2 I went through all mentiined problems but….

I have 2 symstems on 1 PC. WinXP and CentOS 5.2 both are in a SBS Company domain.

When I boot it up in Win XP once and next booted up in CentOS again I received Access Denied from the server.

Domain Server NETLOGON: event ID: 5722

The session setup from the computer HPXX failed to authenticate. The name(s) of the account(s) referenced in the security database is HPXX$. The following error occurred: Access is denied

Any clue?

]]> By: Gavin Adams http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-43968 Gavin Adams Wed, 25 Mar 2009 17:24:09 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-43968 Scott, Thanks for documenting these solutions. Just an update that running an patched (yum update) CentOS 5.2 server, I was able to use the net ads -J command to create the computer object. All the other LDAP, nss, and kerberos changes in your other post worked fine. It did require configuring the member server settings in samba and starting it up, but that actually a good thing as now I connect to shares on the Linux server, assume I'm using kerberos for that. For some reason, getent simply does not return and values for passwd or groups. However, if I create a directory and set the UID/GID to values defined in the AD account UNIX tab, ls -l does show the proper values (principal names from AD). And ssh logins work, so that makes me happy. Things have changed dramatically since the Redhat 7.3 days... thank goodness! Scott,

Thanks for documenting these solutions. Just an update that running an patched (yum update) CentOS 5.2 server, I was able to use the net ads -J command to create the computer object. All the other LDAP, nss, and kerberos changes in your other post worked fine.

It did require configuring the member server settings in samba and starting it up, but that actually a good thing as now I connect to shares on the Linux server, assume I’m using kerberos for that.

For some reason, getent simply does not return and values for passwd or groups. However, if I create a directory and set the UID/GID to values defined in the AD account UNIX tab, ls -l does show the proper values (principal names from AD). And ssh logins work, so that makes me happy.

Things have changed dramatically since the Redhat 7.3 days… thank goodness!

]]> By: Mike H http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-39475 Mike H Thu, 19 Jun 2008 21:59:44 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-39475 SELinux enable disable techniques: 1. To see whether or not selinux is enforcing, permissive or disabled $ sudo /usr/sbin/getenforce 2. To temporarily set selinux to permissive (doesn't enforce any policies but will log alerts to syslog) $ sudo /usr/sbin/setenforce 0 3. To set selinux back to enforcing $ sudo /usr/sbin/setenforce 1 4. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change: SELINUX=enforcing to SELINUX=permissive permissive is nice because you can use it to debug selinux policy issues SELinux enable disable techniques:

1. To see whether or not selinux is enforcing, permissive or disabled
$ sudo /usr/sbin/getenforce

2. To temporarily set selinux to permissive (doesn’t enforce any policies but will log alerts to syslog)
$ sudo /usr/sbin/setenforce 0

3. To set selinux back to enforcing
$ sudo /usr/sbin/setenforce 1

4. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change:
SELINUX=enforcing
to
SELINUX=permissive

permissive is nice because you can use it to debug selinux policy issues

]]> By: Dave http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-39398 Dave Thu, 12 Jun 2008 22:25:42 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-39398 I found this post useful http://www.linuxquestions.org/questions/linux-networking-3/kerberos-kinit-reply-did-not-match-expectations-445698/ I found this post useful
http://www.linuxquestions.org/questions/linux-networking-3/kerberos-kinit-reply-did-not-match-expectations-445698/

]]> By: Maurizio http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-37244 Maurizio Mon, 28 Apr 2008 06:18:02 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37244 Others of you has tried to make rpm binary using sources? i got "Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.28a-1.i386.rpm" and all the others samba packages 3.0.28a but now i am very worried to install them on thsi Centos 5.1 Someone did it and he is satisfied? Others of you has tried to make rpm binary using sources?
i got
“Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.28a-1.i386.rpm”
and all the others samba packages 3.0.28a
but now i am very worried to install them on thsi Centos 5.1

Someone did it and he is satisfied?

]]> By: Maurizio http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-37243 Maurizio Mon, 28 Apr 2008 06:13:49 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37243 3.0.25a is bugged for other reasons, too :( As Graham pointed here: http://lists.samba.org/archive/samba/2008-March/139428.html "After groping around in the dark, I found some references to ldap passwd sync being broken, and changing this worked: ldap passwd sync = no For some reason, ldap passwd sync seems to be broken on samba 3.0.25b." i have the same issue, i can't change password using CtrlAltCanc Windows form 3.0.25a is bugged for other reasons, too :(
As Graham pointed here:
http://lists.samba.org/archive/samba/2008-March/139428.html
“After groping around in the dark, I found some references to ldap passwd
sync being broken, and changing this worked:

ldap passwd sync = no

For some reason, ldap passwd sync seems to be broken on samba 3.0.25b.”
i have the same issue, i can’t change password using CtrlAltCanc Windows form

]]> By: Albe http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-37062 Albe Thu, 17 Apr 2008 17:05:47 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37062 Solution for the first post: just go for the firstconfig procedure (u can relaunch by /usr/sbin/firstconfig --reconfig) and in the firewall section disable the SELinux. This fixed this as well as other issues with my installation... Albe Solution for the first post: just go for the firstconfig procedure (u can relaunch by /usr/sbin/firstconfig –reconfig) and in the firewall section disable the SELinux.

This fixed this as well as other issues with my installation…

Albe

]]> By: mike http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-37006 mike Thu, 10 Apr 2008 21:27:35 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37006 I was able to get my RHEL 5 machine added to the AD Domain. I am currently on RHEL 5.1 (/etc/redhat-release). So I'm wondering what I did that was different from the instructions? I am having a issue where my Samba server is having Windows XP machines (Not in the AD domain) to enter in there username and password every hour or so. I was wondering if anyone else is having this issue? I was able to get my RHEL 5 machine added to the AD Domain. I am currently on RHEL 5.1 (/etc/redhat-release). So I’m wondering what I did that was different from the instructions? I am having a issue where my Samba server is having Windows XP machines (Not in the AD domain) to enter in there username and password every hour or so. I was wondering if anyone else is having this issue?

]]> By: DaveL http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/comment-page-1/#comment-35517 DaveL Fri, 15 Feb 2008 19:43:18 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-35517 Having a similar problem, only at the next step: the join works, but then getent doesn't return the user / group info from ADS. I'd just posted a question to the Samba mail list when I found this blog entry. DaveL Having a similar problem, only at the next step: the join works, but then getent doesn’t return the user / group info from ADS. I’d just posted a question to the Samba mail list when I found this blog entry.

DaveL

]]>