Unable to integrate SuSe with AD

SUSE Product Topics SLES Configure-Administer
1

Hi Team,

I am facing the issue while authenticating user though AD, i am getting the output of “getent passwd username”, i am also able to join this server to AD i get the message successfully joined. When i switch to root account and then try to swtich to AD users am able to do that also now the issue is when i m trying authenticate the user using password its showing password incorrect for all the user but password is the correct one,its an AWS instance.
I added the server to AD using YaST and manually also using commands nothing looks working. Can anyone help.

2

Which version and Service Pack (SP) of SLES?

Do any other systems of yours, SLES or otherwise, work when doing this?

Anything interesting in the various logs, usually all under /var/log ?

Do you know if you are using the LDAP client or SSSD?

Any nastygrams from the microsoft active directory (MAD) environment that
indicate a problem authenticating?

Anything on the wire, maybe being rejected by the MAD boxes, but at least
confirming that your box is reaching out, and which port/protocol is being
used?


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

Hi Thank you for your response please check below i have provided the information of the Environment we have and configuration i m using please check if i m missing anything.

Which version and Service Pack (SP) of SLES?

Ans:

SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3

Do any other systems of yours, SLES or otherwise, work when doing this?

Ans;
We are facing this issue with SuSe servers only, we also have other flavors of linux in our environment but for the AD authentication is working fine.

Anything interesting in the various logs, usually all under /var/log ?

Do you know if you are using the LDAP client or SSSD?

Ans:
We are using SSSD

Below is the krb5.conf file contents:

below entry in /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = fake.example.com.au
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

[realms]

FAKE.EXAMPLE.COM.AU = {
kdc = server.fake.example.com.au
admin_server = FAKE.EXAMPLE.COM.AU
}

FAKE.EXAMPLE.COM.AU = {
}

FAKE.EXAMPLE.COM.AU = {
kdc = server1.fake.example.com.au
kdc = server2.fake.example.com.au
}

[domain_realm]

fake.example.com.au = FAKE.EXAMPLE.COM.AU
.fake.example.com.au = FAKE.EXAMPLE.COM.AU

Samba File contents:

entry in /etc/samba/smb.conf

[global]
workgroup = FAKE
password server = server.fake.example.com.au
realm = FAKE.EXAMPLE.COM.AU
security = ads
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log

4

On 02/23/2017 02:54 AM, babajuneed wrote:[color=blue]

Which version and Service Pack (SP) of SLES?

Ans:

SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3[/color]

Have you tried SP4, or even better, SLES 12 SP2? I only ask because of
possible fixes, and in the case of SLES 12, much newer SSSD code.
[color=blue]

Do any other systems of yours, SLES or otherwise, work when doing this?

Ans;
We are facing this issue with SuSe servers only, we also have other
flavors of linux in our environment but for the AD authentication is
working fine.[/color]

Are they also using SSSD (vs. just LDAP) I presume, and, if so, which
version? Have you compared their configuration files with those from SLES?
[color=blue]

Anything interesting in the various logs, usually all under /var/log ?[/color]

What about those logs? I see your krb5.conf points to a few under
/var/log which may be interesting to tail as you try the login with a
password.
[color=blue]

Below is the krb5.conf file contents:

below entry in /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = fake.example.com.au
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

[realms]

FAKE.EXAMPLE.COM.AU = {
kdc = server.fake.example.com.au
admin_server = FAKE.EXAMPLE.COM.AU
}

FAKE.EXAMPLE.COM.AU = {
}[/color]

Is there a reason you have this first, blank, entry? I am not an SSSD
expert, but having two, one blank, seems like a non-required, maybe
non-good, thing.
[color=blue]

FAKE.EXAMPLE.COM.AU = {
kdc = server1.fake.example.com.au
kdc = server2.fake.example.com.au
}

[domain_realm]

fake.example.com.au = FAKE.EXAMPLE.COM.AU
.fake.example.com.au = FAKE.EXAMPLE.COM.AU[/color]

What, if anything, do you see on the wire between the SLES box and the
windows domain controllers (DC) when you try the password-based
authentication? How does that compare with working systems?

#Summary printed to the screen.
sudo /usr/sbin/tcpdump -n -s 0 -i any not port 22

#All data written to a file (for proper analysis)
sudo /usr/sbin/tcpdump -n -s 0 -i any -v -w /tmp/lan.cap not port 22


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

5

babajuneed,

Perhaps check out the following video I did for SLES 11 SSSD deployments:

https://www.youtube.com/watch?v=lf66X7jIMQI

To Aaron’s points the SLES 12 SSSD code would be much easier to use. Depending on the level of AD integration required understand that the options on SLES 11 are more limited. Essentially to LDAP with a non-joined machine or LDAP/Kerberos with a joined machine. However, I did this video specifically for those on the SLES 11 platform that couldn’t update to the SLES 12 platform due to organizational or application constraints. I’ll be doing more videos as time permits.

Hoping it helps,

– lawrence