tag:blogger.com,1999:blog-3476297308335389064.post3643213007840302529..comments2023-05-25T08:43:32.335+01:00Comments on DigitalLlama.net: Join Debian Wheezy to Windows Active Directory DomainNealhttp://www.blogger.com/profile/01355923207788981464noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-3476297308335389064.post-63373481780608940572018-07-03T14:16:35.515+01:002018-07-03T14:16:35.515+01:00That allowed successful connection and the rest wo...That allowed successful connection and the rest works flawlessly.whomakespontiac.comhttp://whomakespontiac.comnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-75484592406870405092016-02-09T16:24:40.155+00:002016-02-09T16:24:40.155+00:00Hello Neal,
Thanks for the great tut. I need some...Hello Neal,<br /><br />Thanks for the great tut. I need some help. Please do sir.<br /><br /><br />When I ran net join, I was shown "<br /><br />Using short domain -- ***<br />Joined 'your-pi' to dns domain '***.***'<br />No DNS domain configured for your-pi. Unable to perform DNS update.<br />DNS update failed: NT_STATUS_INVALID_PARAMETER<br /><br /><br />After this the computer object is created in AD. I can ping everything IP / hostnames from here to there and everywhere in domain.<br /><br />But, I cannot login with my domain creds.<br />I have kdestroyed and kinit tickets with my and other domain IDs. ticekts get created and all but still I cannot logon.<br /><br />I get incorrect password.<br /><br />What do you think?Chanderjeethttps://www.blogger.com/profile/09294915495664667290noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-7400486023858218232015-10-15T16:18:53.718+01:002015-10-15T16:18:53.718+01:00Hello,
First thank you for you tutorial.
On my h...Hello,<br /><br />First thank you for you tutorial. <br />On my hand it work fine until the line:<br /># net join -S dc -U administrator<br />after entering the administrator password I got the following error message:<br />Failed to join domain: failed to join domain 'XXX.YYYY' over rpc: NT_STATUS_NOT_SUPPORTED<br /><br />I have tried several times and one time a second message came up:<br />ADS join did not work, falling back to RPC...<br /><br />I have been searching on the web for hours without any improvement.<br />Any help would be greatly appreciated!<br /><br />FYI, the command line # net ads info returns the following information:<br />LDAP server: 100.238.51.13<br />LDAP server name: ZZZZZZZ.xxx.yyyy<br />Realm: XXX.YYYY<br />Bind Path: dc=XXX,dc=YYYY<br />LDAP port: 389<br />Server time: Thu, 15 Oct 2015 17:01:34 CEST<br />KDC server: 100.238.51.13<br />Server time offset: 0<br /><br />And I am on a raspberry pi using the OS Raspbian<br /><br />PS: I am wondering if I could use LDAP instead of RPC since I think that my dc doesn't know the rpc protocol.<br /><br />Thank you in advance,<br />Pierre<br /><br />Anonymoushttps://www.blogger.com/profile/04182662190434390085noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-12151972579449094792015-09-15T20:40:34.404+01:002015-09-15T20:40:34.404+01:00IT Jedi, Genius....Super Genius.!IT Jedi, Genius....Super Genius.!Lionhttps://www.blogger.com/profile/10194915559074671505noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-20647139228802515402015-07-24T18:00:03.409+01:002015-07-24T18:00:03.409+01:00Thanks for the tut.
Just a note that helped fix t...Thanks for the tut.<br /><br />Just a note that helped fix the ads error that could not connect to DC server. I added the domain controllers to /etc/hosts file. That allowed successful connection and the rest works flawlessly.mcdougnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-28765217428131596822015-07-16T21:27:07.484+01:002015-07-16T21:27:07.484+01:00Great document! Your a live saver :-)
I just misse...Great document! Your a live saver :-)<br />I just missed one package which must be installed to get it working:<br /><br />apt-get install libnss-winbind<br /><br />The winbind NSS library no longer comes with winbind and you need it.<br /><br />I also had the same error <br /><br />The error "Error looking up domain users" regarding winbind which in my case also happend once's.BB2000noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-33636896520465242032015-07-13T22:45:20.723+01:002015-07-13T22:45:20.723+01:00Hi, I could have been clearer there... You need to...Hi, I could have been clearer there... You need to add the two lines to the file - however you already have "session required pam_unix.so" so I would just put the pam_mkhomedir.so line underneath so the end of your file looks like this:<br /><br />...<br /># and here are more per-package modules (the "Additional" block)<br />session optional pam_krb5.so minimum_uid=1000<br />session required pam_unix.so<br /><b>session required pam_mkhomedir.so umask=0022 skel=/etc/skel</b><br />session optional pam_systemd.so <br /><br />Best of luck!Nealhttps://www.blogger.com/profile/01355923207788981464noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-45872105518264286392015-07-13T20:21:46.674+01:002015-07-13T20:21:46.674+01:00Hello,
Thanks for this tutorial, but I stuck on ed...Hello,<br />Thanks for this tutorial, but I stuck on editing "common-session" file.<br />Do I need to add these two lines in this file or replace some other setting?<br /><br />My default "common-session" file:<br /># here are the per-package modules (the "Primary" block)<br />session [default=1] pam_permit.so<br /># here's the fallback if no module succeeds<br />session requisite pam_deny.so<br /># prime the stack with a positive return value if there isn't one already;<br /># this avoids us returning an error just because nothing sets a success code<br /># since the modules above will each just jump around<br />session required pam_permit.so<br /># and here are more per-package modules (the "Additional" block)<br />session optional pam_krb5.so minimum_uid=1000<br />session required pam_unix.so <br />session optional pam_systemd.so <br /><br />Best RegardsAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-7445746122224204522015-05-10T20:34:31.959+01:002015-05-10T20:34:31.959+01:00excellent !!!excellent !!!Anonymoushttps://www.blogger.com/profile/07093797356006851463noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-20708869721694802382015-01-12T07:30:52.079+00:002015-01-12T07:30:52.079+00:00Hello everyone, i am new in linux. Is there config...Hello everyone, i am new in linux. Is there config for offline cache? Thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-59279882729826447342014-10-01T12:32:56.852+01:002014-10-01T12:32:56.852+01:00File corrected is /etc/pam.d/shhd
:)File corrected is /etc/pam.d/shhd<br /><br />:)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-67953574208195544032014-09-29T21:21:29.380+01:002014-09-29T21:21:29.380+01:00Thanks for the comments Anon! don't forget tha...Thanks for the comments Anon! don't forget that you need to block more than just those 2 shells (look in /etc/shells for a full list) and that things like vi can execute shell commands as root even if blocked by sudo. <br /><br />I was not aware of the way to restrict logins to a group of users though - that will come in handy. Previously I've used active directory itself to set which users are allowed to login to a host but this would be a lot quicker for a one off change.Nealhttps://www.blogger.com/profile/01355923207788981464noreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-81194400608023193132014-09-29T17:49:13.240+01:002014-09-29T17:49:13.240+01:00Moreover if you want enable some groups to use sud...Moreover if you want enable some groups to use sudo command BUT avoid to use dangerous command like su, you launch command visudo and add lines:<br /><br />Cmnd_Alias NSHELLS = /bin/sh,/bin/bash<br />Cmnd_Alias NSU = /bin/su<br />Cmnd_Alias NPKG = /usr/bin/apt-get,/usr/bin/dpkg<br /><br />%domain\ admins ALL=ALL, !NSHELLS, !NSU, !NPKG<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-1399249398635758482014-09-29T13:23:06.062+01:002014-09-29T13:23:06.062+01:00Great tutorial thanks.
If you want limit access u...Great tutorial thanks.<br /><br />If you want limit access using ssh only to root and domain admins you have to edit /etc/pam.d/shh and add the line:<br /><br />session required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed<br /><br />Then you have to create and edit file /etc/login.group.allowed and write in:<br /><br />root<br />domain admins<br /><br />Of course this is a list then you can put here also other groups.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-40612273388211431402014-09-24T10:50:10.178+01:002014-09-24T10:50:10.178+01:00Thanks for the job!Thanks for the job!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-73173081435773745402014-08-04T02:02:28.204+01:002014-08-04T02:02:28.204+01:00Great tutorial, worked perfectly on every debian s...Great tutorial, worked perfectly on every debian system I have.<br />The only thing I changed, in my case, is in the umask applied on homedir creation.. I would recommend to use umask=0077 for security and privacy reason.<br />Thanks a lot for you work.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-18643338379560710082014-06-19T16:04:44.639+01:002014-06-19T16:04:44.639+01:00Thank you for the documentation. It is concise and...Thank you for the documentation. It is concise and accurate. Two questions came up for me since I cut my teeth as a Windows admin and Debian admin is pretty new to me, so I thought I'd contribute here.<br /><br />1) Multiple domain controllers: smb.conf, accepts comma-delimited values on the following line:<br /><br />password server = dc.domain.com<br /><br />So if you have multiple DCs, indicate them this way:<br /><br />password server = dc1.domain.com,dc2.domain.com,dc3.domain.com<br /><br />2) Adding groups to sudoers:<br /><br />If you want to bless Domain Admins as sudoers, the line can be added through visudo as follows:<br /><br />%domain\ admins ALL=(ALL:ALL) ALL<br /><br />* The % symbol represents a group.<br />* The word "domain" is literal. Don't substitute your domain name.<br />* We've already specified that groupname lookup should include domain groups, via referencing winbind in nsswitch.conf.<br />* The backslash+space is just a space but it has to be approached with the backslash as an escape character.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-26117732128695726142014-04-24T23:59:07.265+01:002014-04-24T23:59:07.265+01:00Great documentation!! I ran into one hitch that t...Great documentation!! I ran into one hitch that took me forever to figure out, however. libnss-winbind had to be installed also on my system for the getent commands to work.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-728112280852531322014-03-21T10:45:23.200+00:002014-03-21T10:45:23.200+00:00Thank you very much. I just tried it on a test mac...Thank you very much. I just tried it on a test machine and it worked really well. I will implement this on my other Linux machines too!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3476297308335389064.post-25667727731491191022014-02-17T04:09:03.243+00:002014-02-17T04:09:03.243+00:00Thank you, I was having trouble with getting this ...Thank you, I was having trouble with getting this to work after upgrading a server. Following this has made everything work properly now.Anonymousnoreply@blogger.com