This can be interesting only if we can put homedirectory from users on a nfs server with kerberos on same realm or bether can be on a samba share from a windows server like roaming profile. Cache only if working...
I think most, if not all, of that should be able to be done.. I just don't have the time or requirement to pursue it at this time. I'm not certain on the cache part... If that's NOT available, then it should be able to be accomplished using logon/logoff scripts with rsync . After a quick search, this could be usable: github.com/abchk1234/linux-ad-roaming-profile/tree/master While that repo is a bit dated, the content/scripts are viable as is the osync (github.com/deajan/osync) tool that it leverages.
@DimensionQuest: Hi, thank you for the nice video! It is 2024 and finally Ubuntu supports AD!! I have been randomly looking for a solution since 6 years!!!! Do you know how I can safely remove on AD user. I have one misconfigured one (actually my own), but as I am working in an enterprise I am not allowed to edit my entriies. And the home directory points to /transhome/{username}. I sassume that makes difficulties, when it comes to login, cause it refuses to find me. But a parallel "technical" user, that I have access to, works without any problems.... What is your tips here?
I'm not terribly sure how to respond here as I'm quite unfamiliar with how your environment is setup... since you don't have access to Active Directory Users & Computers and profile settings, you are likely just limited to your local Ubuntu system based on your comment.. Where does this home directory "/transhome/" exist - is this an NFS/SMB mount to a server that you do not have access to? I'll assume yes.... Assuming you don't have access to the /transhome/ share, your admins should have a subdirectory there that matches the username you wish to login as - or, depending on permissions, you'll need to check your /etc/pam.d/common-session file's configuration... If your home directory does not already exist, you'll need to make sure the file contains: session optional pam_mkhomedir.so skel=/etc/skel/ umask 0077 NOTE: that the skel definition may need to be something else if your admins have a pre-determined share as the source... IE: /transhome/skel Additionally, you may need: session optional pam_mount.so Either above or below the pam_mkhomedir.so line in that file to ensure that your home directory is either accessible or created upon login... With regards to the "technical" user you reference.... is this user able to login to the system in question without issue? Does your AD user have a folder on /transhome ?? Hopefully my comment about reviewing the common-session file will help you get this resolved as I had an odd issue due to MY configuration where I needed the pam_mkhomedir.so listed ABOVE the pam_mount, while the default config as it inversed....
@@DimensionQuestI really have to thank you so much! I will try it out in the next days and obviously will give you a feedback! But I find it terrific, how detailed you wrote and that you really took a time for me, that is really cool! Yes you assume right, I do not have access to the AD management, but maybe I have a good contact who can do it for me. I was only thinking, if these special /trans/skel remainder (because it seems I am like a unicorn, but IT service is not very capable dealing on that linux level, they are used to be windows admins) is causing my problems, the technical user itself works flawlessly with the normal creation of /home/{technical_user}. With your help I guess I have something to try out and better to argue! See you soon, thanks much!!!
Hi, I have a question. Please can you help me. I created users in Active Directory and wanted to log in with the user I created. Linux is connected to the domain, but the user is not discovering. Where could be the cause. As system enters sssd status, it displays GSSAPI Error: Unspecified. I'm a beginner and I'm learning Ubuntu.
Did you follow this video to get your Ubuntu Joined to Active Directory? Have you rebooted since joining the domain? When you run "realm list", does the "configured" line say "kerberos-member"? As shown in my video, I didn't run into this particular issue you have noted so I'm not certain what your issue may be.
@@DimensionQuest I think my problem in settings IP. Please Can you show you configuration ? on AD and Ubuntu IP ? And can you show your file : sudo nano /etc/resolv.conf and sudo nano /etc/hosts
@@DAMEXx - wait a sec... you're using .local ??? this is a big no-no, never ever use .local for networks ;) It causes issues with Linux resolution and is incompatible with a whole variety of systems. www.ibm.com/support/pages/node/6593891 is just one such example and if you're having resolution issues with .local in your own environment, there's another example. .local is "special", rather than me copy/paste, here's a really good short explanation: serverfault.com/questions/1006000/is-tld-local-not-a-local-tld-anymore
Like this ( i just validated on a system to be sure): chown user:"domain admins" file.ext where file.ext is the file you are changing ownership... If you have a multi-domain environment (my work lab is 3 domains), then use the following: chown user@mylabenv.lab:"domain admins@mylabenv.lab" file.ext
It can be.. there are several options for joining Linux to Active Directory, some a bit more of a pain than others. The GUI Method built into the OS has never worked well for me whether I'm trying to join to a Microsoft AD Server or Zentyal/Linux SAMBA server... The method I showed in this video has been very consistent for me and could even be scripted as part of a VM build. Unfortunately we have to jump through these hoops since we're trying to join something Microsoft came up with for their own OS ;)
I haven't run into this issue personally, but there was someone (one of the oldest comments on the video) that discovered some GPO was preventing the user account from logging in.
Really big thanks for this video! This is exactly what I need, because the idea in our company is to connect Linux clients to the domain in such a way. But what about the rights? Developers who will work on Linux clients will need higher rights than an ordinary user. But with elevated rights, I'm afraid they could change domain-specific settings or add new local users, changing IP settings etc. How to prevent this?
I haven't been in that situation of having concern over local elevated rights. There are a couple ways to approach this off the top of my head, but keep in mind I'm just at a novice-intermediate level here ;) I can't elaborate much on the following, they are just things I've seen: - Do not grant full sudo/root privileges to your domain users -- sudo can be granted to users and groups for specific operations, but can get complicated -- Search for "how to limit sudo user permissions" - Using commercially supported linux and domain membership can also allow for more restrictive control over your Linux users via Group Policies -- Search for "linux group policies domain membership" Good luck, let me know how you end up approaching this or meeting your requirements.
Glad you enjoyed it! Thanks for watching and taking the time to comment :)
9 місяців тому
Hi i try to connect my ubuntu 22.04 on a windows server 2022. No problem for the realm but when i try id@mydomain.local .... user does not exist. When i do the realm connect i have an error: Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported Can you help me ?
I don't think I can.. the use of .local is a disaster that Microsoft started many years ago. It should NOT be used in networks - especially those with Linux clients as it causes all kinds of nasty issues. I would suggest using your favorite search engine to find a solution, just paste in that error you shared here. Perhaps this thread could be of use: forums.rockylinux.org/t/linux-ad-direct-integration-with-sssd-kerberos/6894/3 -- disregard that it is a rockylinux community, as sssd, realm, etc... apply across most distributions. Good luck!
The machine you are trying to join to the domain - is it using your DC as the DNS server? If I'm not mistaken, I believe there are special DNS entries on DCs that are used for Active Directory/Domain activities. A simple 3rd party DNS server or hosts entry would not have the special records. Other than that, I recall another viewer discovering that there were some group policies that were preventing their attempts. Please let me know if you get this resolved and what the issue turned out to be. Good luck and thanks for watching!
Thus video is really useful. Any chance this video could be updated for those who have zentyal Ubuntu AD server installed? Thanks, again, for this video.
I’m very rusty with Active Directory and have not attempted what you described. This thread may help: community.spiceworks.com/t/unable-to-join-domain-what-to-do/130845/10
Hi how are you? I follow the steps in the video but I can't login as a domain. I have zentyal 7.0 and ubuntu 22. I was able to join the domain, but I can't log in with user@domain. any ideas?
I had this same issue. In my case if was caused by some GPO's I created for my Windows PC's. I created a new OU for Linux computers, moved Ubuntu PC's computer account to the new OU, then disabled inheritance and create a single GPO linked to that OU. In the new OU, make sure your user has rights to "Allow Login" and "Allow Login Remotely" under User Rights policies. Voila! I got this solution from a post on Spiceworks. Still not sure why it works as I didn't think Linux used GPOs at all, but apparently Ubuntu does.
@@kf4hqf2 nice tip thanks I just did that on my server AD in my attempt to follow this and many other all-over-the-place "how to" guides on getting Linux machines joined to my company domain. Sigh. 2 Ubuntu, 1 Linux Mint. 0 success thus far lol
so once I follow these steps Should I be able to ping ubuntu computer by its hostanme from windows? I have a problem pinging ubuntu computer from windows. I can only do it with its ip. Any idea what might be happening?
Since you already stated you can ping by IP, that rules out a firewall on Ubuntu blocking ICMP so this certainly means name resolution is the issue. Is Ubuntu using a Static or DHCP address? Have you enabled dynamic DNS (IE: Each DHCP Client automatically gets added to your DNS Server and can be resolved)? You should be able to ping by name as long as the name can be resolved by the system you are pinging from.
This can be interesting only if we can put homedirectory from users on a nfs server with kerberos on same realm or bether can be on a samba share from a windows server like roaming profile. Cache only if working...
I think most, if not all, of that should be able to be done.. I just don't have the time or requirement to pursue it at this time. I'm not certain on the cache part... If that's NOT available, then it should be able to be accomplished using logon/logoff scripts with rsync .
After a quick search, this could be usable: github.com/abchk1234/linux-ad-roaming-profile/tree/master
While that repo is a bit dated, the content/scripts are viable as is the osync (github.com/deajan/osync) tool that it leverages.
@DimensionQuest: Hi, thank you for the nice video! It is 2024 and finally Ubuntu supports AD!! I have been randomly looking for a solution since 6 years!!!!
Do you know how I can safely remove on AD user. I have one misconfigured one (actually my own), but as I am working in an enterprise I am not allowed to edit my entriies. And the home directory points to /transhome/{username}. I sassume that makes difficulties, when it comes to login, cause it refuses to find me. But a parallel "technical" user, that I have access to, works without any problems.... What is your tips here?
I'm not terribly sure how to respond here as I'm quite unfamiliar with how your environment is setup... since you don't have access to Active Directory Users & Computers and profile settings, you are likely just limited to your local Ubuntu system based on your comment.. Where does this home directory "/transhome/" exist - is this an NFS/SMB mount to a server that you do not have access to? I'll assume yes....
Assuming you don't have access to the /transhome/ share, your admins should have a subdirectory there that matches the username you wish to login as - or, depending on permissions, you'll need to check your /etc/pam.d/common-session file's configuration...
If your home directory does not already exist, you'll need to make sure the file contains:
session optional pam_mkhomedir.so skel=/etc/skel/ umask 0077
NOTE: that the skel definition may need to be something else if your admins have a pre-determined share as the source... IE: /transhome/skel
Additionally, you may need:
session optional pam_mount.so
Either above or below the pam_mkhomedir.so line in that file to ensure that your home directory is either accessible or created upon login...
With regards to the "technical" user you reference.... is this user able to login to the system in question without issue? Does your AD user have a folder on /transhome ??
Hopefully my comment about reviewing the common-session file will help you get this resolved as I had an odd issue due to MY configuration where I needed the pam_mkhomedir.so listed ABOVE the pam_mount, while the default config as it inversed....
@@DimensionQuestI really have to thank you so much! I will try it out in the next days and obviously will give you a feedback! But I find it terrific, how detailed you wrote and that you really took a time for me, that is really cool!
Yes you assume right, I do not have access to the AD management, but maybe I have a good contact who can do it for me. I was only thinking, if these special /trans/skel remainder (because it seems I am like a unicorn, but IT service is not very capable dealing on that linux level, they are used to be windows admins) is causing my problems, the technical user itself works flawlessly with the normal creation of /home/{technical_user}.
With your help I guess I have something to try out and better to argue! See you soon, thanks much!!!
Hi, I have a question. Please can you help me. I created users in Active Directory and wanted to log in with the user I created. Linux is connected to the domain, but the user is not discovering. Where could be the cause. As system enters sssd status, it displays GSSAPI Error: Unspecified. I'm a beginner and I'm learning Ubuntu.
Did you follow this video to get your Ubuntu Joined to Active Directory? Have you rebooted since joining the domain? When you run "realm list", does the "configured" line say "kerberos-member"? As shown in my video, I didn't run into this particular issue you have noted so I'm not certain what your issue may be.
@@DimensionQuest I think my problem in settings IP. Please Can you show you configuration ? on AD and Ubuntu IP ? And can you show your file : sudo nano /etc/resolv.conf and sudo nano /etc/hosts
If I enter an IP domain address, it works but the domain name doesn't work anymore.
T.local: This name or service is unknown
But adress IP is working... Jesus :)
@@DAMEXx - wait a sec... you're using .local ??? this is a big no-no, never ever use .local for networks ;) It causes issues with Linux resolution and is incompatible with a whole variety of systems. www.ibm.com/support/pages/node/6593891 is just one such example and if you're having resolution issues with .local in your own environment, there's another example.
.local is "special", rather than me copy/paste, here's a really good short explanation: serverfault.com/questions/1006000/is-tld-local-not-a-local-tld-anymore
Hello, how to set the ownership to "user:domain admins" while we have a space at domain admins group?
Like this ( i just validated on a system to be sure):
chown user:"domain admins" file.ext
where file.ext is the file you are changing ownership...
If you have a multi-domain environment (my work lab is 3 domains), then use the following:
chown user@mylabenv.lab:"domain admins@mylabenv.lab" file.ext
is it really this complicated?
It can be.. there are several options for joining Linux to Active Directory, some a bit more of a pain than others. The GUI Method built into the OS has never worked well for me whether I'm trying to join to a Microsoft AD Server or Zentyal/Linux SAMBA server... The method I showed in this video has been very consistent for me and could even be scripted as part of a VM build. Unfortunately we have to jump through these hoops since we're trying to join something Microsoft came up with for their own OS ;)
I have joined in AD but unable to login with domain user ?
I haven't run into this issue personally, but there was someone (one of the oldest comments on the video) that discovered some GPO was preventing the user account from logging in.
Really big thanks for this video!
This is exactly what I need, because the idea in our company is to connect Linux clients to the domain in such a way. But what about the rights? Developers who will work on Linux clients will need higher rights than an ordinary user. But with elevated rights, I'm afraid they could change domain-specific settings or add new local users, changing IP settings etc. How to prevent this?
I haven't been in that situation of having concern over local elevated rights. There are a couple ways to approach this off the top of my head, but keep in mind I'm just at a novice-intermediate level here ;) I can't elaborate much on the following, they are just things I've seen:
- Do not grant full sudo/root privileges to your domain users -- sudo can be granted to users and groups for specific operations, but can get complicated -- Search for "how to limit sudo user permissions"
- Using commercially supported linux and domain membership can also allow for more restrictive control over your Linux users via Group Policies -- Search for "linux group policies domain membership"
Good luck, let me know how you end up approaching this or meeting your requirements.
Superb video!!! Thank you thank you thank you!!
Glad you enjoyed it! Thanks for watching and taking the time to comment :)
Hi i try to connect my ubuntu 22.04 on a windows server 2022. No problem for the realm but when i try id@mydomain.local .... user does not exist. When i do the realm connect i have an error:
Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
Can you help me ?
I don't think I can.. the use of .local is a disaster that Microsoft started many years ago. It should NOT be used in networks - especially those with Linux clients as it causes all kinds of nasty issues. I would suggest using your favorite search engine to find a solution, just paste in that error you shared here. Perhaps this thread could be of use: forums.rockylinux.org/t/linux-ad-direct-integration-with-sssd-kerberos/6894/3 -- disregard that it is a rockylinux community, as sssd, realm, etc... apply across most distributions. Good luck!
I can ping my DC but I cannot discover the realm. Any ideas? I have been spinning my wheels on stackOF
The machine you are trying to join to the domain - is it using your DC as the DNS server? If I'm not mistaken, I believe there are special DNS entries on DCs that are used for Active Directory/Domain activities. A simple 3rd party DNS server or hosts entry would not have the special records. Other than that, I recall another viewer discovering that there were some group policies that were preventing their attempts. Please let me know if you get this resolved and what the issue turned out to be. Good luck and thanks for watching!
Thus video is really useful. Any chance this video could be updated for those who have zentyal Ubuntu AD server installed? Thanks, again, for this video.
Hmmm, this video IS joining to a Zentyal AD server… so I’m not quite sure what you mean here…
Oops, responded from my other acct ;)
if a seperate dns server was used that ad syncs with, how could this be adapted?
I’m very rusty with Active Directory and have not attempted what you described. This thread may help: community.spiceworks.com/t/unable-to-join-domain-what-to-do/130845/10
Hello I have a question do you know if it works with microsoft azure?
I have no idea. That is not something I have a need for, nor an account to test with.
Hi how are you? I follow the steps in the video but I can't login as a domain.
I have zentyal 7.0 and ubuntu 22. I was able to join the domain, but I can't log in with user@domain.
any ideas?
I'm not too sure on that. It would take a bit of searching and seeing the actual issue to attempt to figure it out. Good luck though!
I had this same issue. In my case if was caused by some GPO's I created for my Windows PC's. I created a new OU for Linux computers, moved Ubuntu PC's computer account to the new OU, then disabled inheritance and create a single GPO linked to that OU. In the new OU, make sure your user has rights to "Allow Login" and "Allow Login Remotely" under User Rights policies. Voila! I got this solution from a post on Spiceworks. Still not sure why it works as I didn't think Linux used GPOs at all, but apparently Ubuntu does.
@@kf4hqf2 nice tip thanks I just did that on my server AD in my attempt to follow this and many other all-over-the-place "how to" guides on getting Linux machines joined to my company domain. Sigh. 2 Ubuntu, 1 Linux Mint. 0 success thus far lol
where did you get the config for the automatically mount share folders? i guess there is another tutorial for that no ?
Yeah, I did the tutorial here: ua-cam.com/video/LxzPhmlaBFI/v-deo.html
3:15 3:15 3:15
so once I follow these steps Should I be able to ping ubuntu computer by its hostanme from windows? I have a problem pinging ubuntu computer from windows. I can only do it with its ip. Any idea what might be happening?
I joined windows active directory with no problem btw
Since you already stated you can ping by IP, that rules out a firewall on Ubuntu blocking ICMP so this certainly means name resolution is the issue.
Is Ubuntu using a Static or DHCP address? Have you enabled dynamic DNS (IE: Each DHCP Client automatically gets added to your DNS Server and can be resolved)? You should be able to ping by name as long as the name can be resolved by the system you are pinging from.
Yep Ubuntu has a static ip and firewall disabled for now
Next you need to confirm that there is a DNS entry for your Ubuntu VM, and that the Windows system is using that DNS server for name resolution.
Hi! Thanks so much for the video!
You're welcome - thanks for watching and commenting :)
Thx, very useful vid
!
Glad you liked it!