Comments on: CentOS 5 Active Directory Integration Problem http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/ The weblog of an IT pro specializing in virtualization, storage, and servers Mon, 01 Dec 2008 22:12:13 +0000 http://wordpress.org/?v=2.6 By: Mike H http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-39475 Mike H Thu, 19 Jun 2008 21:59:44 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-39475 SELinux enable disable techniques: 1. To see whether or not selinux is enforcing, permissive or disabled $ sudo /usr/sbin/getenforce 2. To temporarily set selinux to permissive (doesn't enforce any policies but will log alerts to syslog) $ sudo /usr/sbin/setenforce 0 3. To set selinux back to enforcing $ sudo /usr/sbin/setenforce 1 4. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change: SELINUX=enforcing to SELINUX=permissive permissive is nice because you can use it to debug selinux policy issues SELinux enable disable techniques:

1. To see whether or not selinux is enforcing, permissive or disabled
$ sudo /usr/sbin/getenforce

2. To temporarily set selinux to permissive (doesn’t enforce any policies but will log alerts to syslog)
$ sudo /usr/sbin/setenforce 0

3. To set selinux back to enforcing
$ sudo /usr/sbin/setenforce 1

4. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change:
SELINUX=enforcing
to
SELINUX=permissive

permissive is nice because you can use it to debug selinux policy issues

]]> By: Dave http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-39398 Dave Thu, 12 Jun 2008 22:25:42 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-39398 I found this post useful http://www.linuxquestions.org/questions/linux-networking-3/kerberos-kinit-reply-did-not-match-expectations-445698/ I found this post useful
http://www.linuxquestions.org/questions/linux-networking-3/kerberos-kinit-reply-did-not-match-expectations-445698/

]]> By: Maurizio http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37244 Maurizio Mon, 28 Apr 2008 06:18:02 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37244 Others of you has tried to make rpm binary using sources? i got "Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.28a-1.i386.rpm" and all the others samba packages 3.0.28a but now i am very worried to install them on thsi Centos 5.1 Someone did it and he is satisfied? Others of you has tried to make rpm binary using sources?
i got
“Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.28a-1.i386.rpm”
and all the others samba packages 3.0.28a
but now i am very worried to install them on thsi Centos 5.1

Someone did it and he is satisfied?

]]> By: Maurizio http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37243 Maurizio Mon, 28 Apr 2008 06:13:49 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37243 3.0.25a is bugged for other reasons, too :( As Graham pointed here: http://lists.samba.org/archive/samba/2008-March/139428.html "After groping around in the dark, I found some references to ldap passwd sync being broken, and changing this worked: ldap passwd sync = no For some reason, ldap passwd sync seems to be broken on samba 3.0.25b." i have the same issue, i can't change password using CtrlAltCanc Windows form 3.0.25a is bugged for other reasons, too :(
As Graham pointed here:
http://lists.samba.org/archive/samba/2008-March/139428.html
“After groping around in the dark, I found some references to ldap passwd
sync being broken, and changing this worked:

ldap passwd sync = no

For some reason, ldap passwd sync seems to be broken on samba 3.0.25b.”
i have the same issue, i can’t change password using CtrlAltCanc Windows form

]]> By: Albe http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37062 Albe Thu, 17 Apr 2008 17:05:47 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37062 Solution for the first post: just go for the firstconfig procedure (u can relaunch by /usr/sbin/firstconfig --reconfig) and in the firewall section disable the SELinux. This fixed this as well as other issues with my installation... Albe Solution for the first post: just go for the firstconfig procedure (u can relaunch by /usr/sbin/firstconfig –reconfig) and in the firewall section disable the SELinux.

This fixed this as well as other issues with my installation…

Albe

]]> By: mike http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37006 mike Thu, 10 Apr 2008 21:27:35 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-37006 I was able to get my RHEL 5 machine added to the AD Domain. I am currently on RHEL 5.1 (/etc/redhat-release). So I'm wondering what I did that was different from the instructions? I am having a issue where my Samba server is having Windows XP machines (Not in the AD domain) to enter in there username and password every hour or so. I was wondering if anyone else is having this issue? I was able to get my RHEL 5 machine added to the AD Domain. I am currently on RHEL 5.1 (/etc/redhat-release). So I’m wondering what I did that was different from the instructions? I am having a issue where my Samba server is having Windows XP machines (Not in the AD domain) to enter in there username and password every hour or so. I was wondering if anyone else is having this issue?

]]> By: DaveL http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-35517 DaveL Fri, 15 Feb 2008 19:43:18 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-35517 Having a similar problem, only at the next step: the join works, but then getent doesn't return the user / group info from ADS. I'd just posted a question to the Samba mail list when I found this blog entry. DaveL Having a similar problem, only at the next step: the join works, but then getent doesn’t return the user / group info from ADS. I’d just posted a question to the Samba mail list when I found this blog entry.

DaveL

]]> By: IanK http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-34988 IanK Tue, 08 Jan 2008 02:53:58 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-34988 I got net ads join to work by upgrading Samba to a newer version than 3.0.25b. The problem with the password prompt after obtaining a ticket and trying to use the root user is a bug in the Samba distribution from yum install samba using default mirrors in Cent0S 5. The version CentOS 5 comes with is Version 3.0.25b-1.el5_1.4. There was a Samba version update that would fix this, version 3.0.26 and sequentially 3.0.26a and now 3.0.28 is the most recent. The bug is described here: http://enterpriselinuxlog.blogs.techtarget.com/2007/09/11/of-samba-bugs-and-3026a/ Also check the samba installation documentation to ensure you have compiled Samba correctly for CentOS 5. Look at the Compiling Samba With Active Directory support document here: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html Love your site. IanK I got net ads join to work by upgrading Samba to a newer version than 3.0.25b.

The problem with the password prompt after obtaining a ticket and trying to use the root user is a bug in the Samba distribution from yum install samba using default mirrors in Cent0S 5. The version CentOS 5 comes with is Version 3.0.25b-1.el5_1.4. There was a Samba version update that would fix this, version 3.0.26 and sequentially 3.0.26a and now 3.0.28 is the most recent. The bug is described here: http://enterpriselinuxlog.blogs.techtarget.com/2007/09/11/of-samba-bugs-and-3026a/

Also check the samba installation documentation to ensure you have compiled Samba correctly for CentOS 5. Look at the Compiling Samba With Active Directory support document here:
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html

Love your site.

IanK

]]> By: slowe http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-34718 slowe Mon, 17 Dec 2007 23:32:22 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-34718 Matt, Good question. We certainly could use LDAP for authentication, but using Kerberos also allows us to leverage Kerberos' design for authenticating to other services as well. You are correct, though--LDAP should work in this scenario. Thanks for reading! Matt,

Good question. We certainly could use LDAP for authentication, but using Kerberos also allows us to leverage Kerberos’ design for authenticating to other services as well.

You are correct, though–LDAP should work in this scenario.

Thanks for reading!

]]> By: Matt http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-34715 Matt Mon, 17 Dec 2007 22:08:27 +0000 http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/#comment-34715 Just a quick question why do you use pam_krb to do the authenticating as doesn't pam_ldap do the same thing? I'm probably wrong but I just thought I would ask. Thanks for a fantastic site. Matt Just a quick question why do you use pam_krb to do the authenticating as doesn’t pam_ldap do the same thing? I’m probably wrong but I just thought I would ask.

Thanks for a fantastic site.

Matt

]]>