I’m working on SLES 12 SP2 and I want to script the ActiveDirectory integration with using SSSD.
I can fill the configuration files without problem and join the domain with the command “net ads join”.
It’s not working well until I open YAST and go to :
“Network Services” > “User Logon Management” > “Change Settings”, here I need to check “Allow Domain User Logon”.
If I don’t do that my AD User can not log in to my server. I do not find the parameter to do this in a configuration file or something.
The auth-client module is not interactive. I checked this file /usr/share/YaST2/lib/auth/authconf.rb but i do not see what the “Allow Domain User Logon” do.
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:
Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…
On 24/07/18 11:04, exploitationwindows wrote:
[color=blue]
I’m working on SLES 12 SP2 and I want to script the ActiveDirectory
integration with using SSSD.
I can fill the configuration files without problem and join the domain
with the command “net ads join”.
It’s not working well until I open YAST and go to :
“Network Services” > “User Logon Management” > “Change Settings”, here I
need to check “Allow Domain User Logon”.
If I don’t do that my AD User can not log in to my server. I do not find
the parameter to do this in a configuration file or something.
The auth-client module is not interactive. I checked this file
/usr/share/YaST2/lib/auth/authconf.rb but i do not see what the “Allow
Domain User Logon” do.[/color]
On 07/24/2018 12:04 PM, exploitationwindows wrote:[color=blue]
I’m working on SLES 12 SP2 and I want to script the ActiveDirectory
integration with using SSSD.
I can fill the configuration files without problem and join the domain
with the command “net ads join”.
It’s not working well until I open YAST and go to :
“Network Services” > “User Logon Management” > “Change Settings”, here I
need to check “Allow Domain User Logon”.
If I don’t do that my AD User can not log in to my server. I do not find
the parameter to do this in a configuration file or something.[/color]
Did you check the following files and folders before and after the “net
ads join” command as well as before and after YaST doing it’s magic?
Nsswitch configuration:
/etc/nsswitch.conf
Pam configuration:
/etc/pam.d/
SSSD configuration:
/etc/sssd*
It might also be worth comparing the computer object in AD for a system
that allows user logon with one that doesn’t. Maybe an attribute is
missing there that is created or configured with the YaST module.
My currently prefered method is to prepare the sssd configuration files
automatically and then running the YaST module interactively. Just for a
few servers this is the fasted method for me. In case you do not succeed
in replacing YaST with your own script running AutoYaST on the installed
system just for the AD integration might also be an option for fast
deployment on many servers.
exploitationwindows,
It is likely the bits you’re missing are the pam module and nsswitch file configuration YaST is doing (in addition to some other bits):
From the referenced blog post (as the author I can scrape from it ):
Modify the passwd and group sources in the Name Service Switch configuration file (/etc/nsswitch.conf) to reference the SSSD when resolving users and groups.
passwd: compat sss
group: compat sss
Configure the Pluggable Authentication Module (PAM) configuration on the SLES host to authenticate users using the SSSD, and create home directories for them on login if they do not already exist.
):