SLED/GDM does not show the Menue to logging in on AD Domain

SUSE Product Topics SLED Configure-Administer
1

sled11 SP3 + online updates.

via YaST, this sled11 sp3 box, joins MS Active Directory Domain without any issue, but does not provide option to logging in to an MS AD Domain, i.e GNOME/GDM does not show DOMAIN menu.

Also in the same environment we had previously joined several other SP2/SP3 boxes, and GNOME always provide the option to logging in on Domain, but these sled boxes(GNOME/GDM) does not.

here is the /etc/krb5.conf

[libdefaults]
	default_realm = MS-AD-DOMAIN.COM
	clockskew = 300
[domain_realm]
	.ms-ad-domain.com = MS-AD-DOMAIN.COM
[realms]
MS-AD-DOMAIN.COM = {
	kdc = dc1.ms-ad-domain.com
	default_domain = ms-ad-domain.com
	admin_server = dc1.ms-ad-domain.com
}
[appdefaults]
pam = {
	ticket_lifetime = 1d
	renew_lifetime = 1d
	forwardable = true
	proxiable = false
	minimum_uid = 1
}

/etc/samba/smb.conf

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2013-05-28
[global]
	workgroup = MS-AD-DOMAIN
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	map to guest = Bad User
	include = /etc/samba/dhcp.conf
	logon path = \\\\%L\\profiles\\.msprofile
	logon home = \\\\%L\\%U\\.9xprofile
	logon drive = P:
	usershare allow guests = No
	idmap gid = 10000-20000
	idmap uid = 10000-20000
	realm = MS-AD-DOMAIN.COM
	security = ADS
	template homedir = /home/%D/%U
	template shell = /bin/bash
	winbind offline logon = yes
	kerberos method = secrets and keytab
	winbind refresh tickets = yes
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

Please help asap

2

[QUOTE=sharfuddin;21482] i.e GNOME/GDM does not show DOMAIN menu.
[/QUOTE]

When you say ‘DOMAIN menu’ I think you mean the thing I’ve crudely circled in red as shown at http://paste.opensuse.org/83788460

Is that what you mean and you’re saying it’s not there? In my experience that’s there all the time regardless of whether the machine is joined to a Domain or not.

You say you say you have other SLED machines in the same environment that are working as expected. The obvious place to start seems to be to compare the configuration of a machine which doesn’t work how you want with one that does. There is presumably a difference somewhere.

On a tangential note, it sounds like you might be trying to set up a bunch of machines to work identically but you’re configuring each machine manually (you say ‘via YaST’). Is that the case?

3

sorry I miss-guided. SLED shows the DOMAIN menu, but that menu does not contain the MS-AD-DOMAIN to log on.

Yes, I copied the /var/lib/samba/krb5.MS-AD-DOMAIN from those machines that shows the MS-AD-DOMAIN in the DOMAIN menu, and then restart sled box, and then got the
MS-AD-DOMAIN in the DOMAIN list. But now I am getting the “User not known to underlying authentication module” error, when trying to logon on the MS-AD-DOMAIN.

[QUOTE=mikewillis;21501]
On a tangential note, it sounds like you might be trying to set up a bunch of machines to work identically but you’re configuring each machine manually (you say ‘via YaST’). Is that the case?[/QUOTE]
Yes.

4

Well it’s a long time since I connected a machine to an Active Directory Domain and am not currently in a position to try it, bit check /etc/nsswitch.conf and PAM configuration in /etc/pam.d/ on a machine which works vs one which doesn’t.

You may want to look at automating the installation and configuration of machines using AutoYAST and/or using something like puppet to manage configuration on deployed machines. Or even just scripting the desired configuration. Failing that you should at least have very clear documentation that tells people how to configure machines manually.