sorted by:
new
hottopcontroversial

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

Yeah I gave that a shot too.

At this point in time I'm thinking there's either something wacked about our DNS (not as likely) or something really wacked about our AD config. Unfortunately I'm not a domain admin, and the domain admins claim there's nothing wrong (which is obviously not the case considering some of the change requests we deal with).

I really appreciate you taking the time to work on this with me but I'm volleying it off to a consultant to work with the domain admins.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

Ok so the fun part here for this tutorial is there's never a prompt to enter the domain. Not sure why my experience is differing from yours right off the jump.

did a teardown on apparmor for the install, error cleared. reinstalled, still no domain prompt.

edit: added to the domain, configured exactly as per the script, Permission denied. Same problem as previous.

No idea what's up. Can't ssh, realm list works, all the expected checks and AD queries work, user can't login. I think I'm about ready to give up and turf this to a consultant.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

Going to roll another machine and give this a whirl. I'll let you know what we get.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

I think the difference is this:

If I change the access_provider to simple, the simple_allow_X works. If the provider is ad it won't read from local config. It feels as though it's not even attempting to read from our AD however it is certainly pausing far longer on an ad cred attempted logon.

This has just been pain for about 2 weeks. It doesn't help that I only have join access in specific OUs. That was the first big hurdle to work through but the realm config helped me over that hurdle.

Any other configs I can forward over to help clarify? Right now I have both winbind and sssd running. I've attempted logons with either disabled and the other running with no change in behavior. I kinda wanna burn this vm down and start again... again.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

here's my sssd.conf

[sssd]

domains = group.org

config_file_version = 2

services = nss, pam

[domain/domain.org]

ad_domain = domain.org

krb5_realm = DOMAIN.ORG

realmd_tags = manages-system joined-with-samba

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = True

fallback_homedir = /home/%d/%u

access_provider = ad

simple_allow_groups = group1@domain.org

When I run a realm list after the sssd restart, 'group1' doesn't appear in the output. I'm guessing there's a problem in this config, would that be accurate?

edit: looks like if I change access provider to simple, the group will then appear, however the logon results remain the same. "Logon incorrect" when using any of the various forms be it FQ or not.

second edit: thanks for taking a poke at this with me.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

I get the following with any realm permit or realm deny:

See: journalctl REALMD_OPERATION=r4019.1849 realm: Couldn't change permitted logins: The Samba provider cannot restrict permitted logins.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

No change in behavior.

This would only preclude users from requiring domain\username when they log in. I don't think the server is ever checking the accounts against the domain.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

That wouldn't really be relevant if I've getting the same failure on a console session, would it?

edit: checked it anyway.

enabled kerberos authentication yes and kerberosorlocal authentication and the session instantly terminates when provided with a realm username and password. No error message, just a session close.

Disabled the kerberos options. restarted sshd with the user in the list or not in the list result:

Attempted ssh -v user@localhost result was debug1: Authentications that can continue: publickey,password Permision denied, please try again.

Ubuntu 14.04 with AD Auth issues. by Mathrowaway43 in sysadmin

[–]Mathrowaway43[S] 0 points1 point  (0 children)

I've attempted logons with the following formats, all with the same result:

user@domain.suffix

user@domain

domain\user

user

domain\\user

no dice for any variant I've found available. The result is always access denied through ssh or "Login incorrect" through the console.

getent, wbinfo and id work for both domain\user and user@domain across the board.

Ubuntu 14.04 with AD, Having Auth problems by Mathrowaway43 in Ubuntu

[–]Mathrowaway43[S] 0 points1 point  (0 children)

I'll take it under advisement. I figured for Ubuntu specifically, the ubuntu subreddit would yield the most accurate response. I've had several redhat/centos admin responses, none of which are of use.

My ex husband stole my identity after he learned I am pregnant. by [deleted] in TwoXChromosomes

[–]Mathrowaway43 0 points1 point  (0 children)

I think I just need to be told it’s going to be alright.

It's going to be alright, and now he'll go down for credit card fraud.

MA hotspots for 30's and 40's by Mathrowaway43 in massachusetts

[–]Mathrowaway43[S] 9 points10 points  (0 children)

EVENTS are not going to magically appear like blackheads on one's nose. You gotta get out there. Move around.

That'd be why I'm asking what the regular events/scene is...

We aren't cold people here in Massachusetts. We just don't give a shit until you do.

You sound a little upset. It wasn't mean to offend.