Trying to configure SLES12 SP3 for authentication against MS AD I find
two problems:
- instead of installing the machine object into to default
CN=susi,CN=Computers,DC=example,DC=com AD admins asked me to use a
special OU for this task. With my admin account I am allowed to create
the object in this OU only. How to I achieve this with the YaST module
for enrollment. As far as I can tell the sssd.conf does me not give an
option for this.
- YaST give an error “failed to find DC for domain” while the domain
controllers are defined in sssd.conf and are also visible from the client.
Any hints on one of those?
Günther
Günther,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php
If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…
Good luck!
Your SUSE Forums Team
http://forums.suse.com
Günther,
When you are enrolling the system in the domain using the “Active Directory Enrollment” dialogue there is an option field called:
“Optional Orginisation Unit”
Specify the container to create your server computer object there.
Note when using the AD providers the domain name used in the sssd.conf file must match the FQDN of the target AD domain.
If the join still fails send add the “debug_level = 7” directive/value to the domain section in your sssd.conf and look for the issue near the end of the /var/log/sssd/sssd_domain.log file and advise me of the results.
– lawrence
On 05/18/2018 04:14 PM, hangarbait wrote:
[color=blue]
When you are enrolling the system in the domain using the “Active
Directory Enrollment” dialogue there is an option field called:
“Optional Orginisation Unit”
Specify the container to create your server computer object there.[/color]
Thank you very much for the hint. I was a bit confused about what this
option is actually used for.
As for my second problem with the message “failed to find DC for
domain”: it turned out that this was caused by our Firewall rules. For
some reason the SUSE system will contact the domain controllers on
389/UDP. With rules for TCP only this will fail and the enrollment never
completes.
[color=blue]
Note when using the AD providers the domain name used in the sssd.conf
file must match the FQDN of the target AD domain.
If the join still fails send add the “debug_level = 7” directive/value
to the domain section in your sssd.conf and look for the issue near the
end of the /var/log/sssd/sssd_domain.log file and advise me of the
results.[/color]
Now the enrollment worked for one system. I want to thank you very much
for your useful advice and will post here if I need further help e.g.
with the sssd log files.
Günther
… always happy to help Günther, I’ve also worked with you on the TTP list 
.
– lawrence