Topic: How to connect a Ubuntu 8.04 client to my domain?

[cnpdk]

My SME server is currently running as domain controller and I have two Win2000Pro clients connected to it.

Now I would like to add a Ubuntu 8.04 client to the same domain but until now without much luck.

I installed likewise-open with the GUI on the Ubuntu client and went ahead.

Unfortunately I ended up with the following error message:

---

The configuration stage 'open ports to DC' cannot be completed automatically. Please manually perform the following steps and rerun the domain join:

Some required ports on the domain controller could not be contacted. Please update your firewall settings to ensure that the following ports are open to 'sme-server.cnp-sme':
   88  UDP
   137 UDP
   389 UDP
   464 UDP
   88 TCP
   445 TCP
   464 TCP

---

From the information I have found the default installation of Ubuntu have no firewall that should block these ports.


Do I need to change any settings on the SME server to prepare it for this or should it run flawless like with the Windows clients?

If I do need to make any changes to the SME server: Would someone please help me with a guide or point me in the right direction here?

Any help would be much appreciated

Best regards
Claus

[steever]

I am pretty sure that Likewise will not work because SME is running a NT 4 style domain, and Likewise is trying to connect to an Active Directory style domain controller.

I think it might be easier to update SME to use an ldap backend (see notes at http://bugs.contribs.org/show_bug.cgi?id=1543)and then use these notes https://help.ubuntu.com/community/LDAPClientAuthentication to try to connect an Ubuntu workstation to an ldap server.

Please let me know how you get on ...

Steve

[Stefano]

@cnpdk


have you read this: http://forums.contribs.org/index.php?topic=37587.0?

let us know if you solve your problem

HTH
Ciao
Stefano

[steever]

Stefano, as one of the contributors to Canterbury's web page on getting Ubuntu to auth off SME http://tech.canterburyschool.org/tech/UbuntuWorkstations_2fAuthenticationSetup, I'd like to quote a few things:

First of all, I have not been able to get Hardy's version of Samba/Winbind to play nice with our network.

First, we'll need to add Feisty's main repo to our /etc/apt/sources.list

Next we install the old version of samba, winbind, and smbfs

I am playing around with this as well, but it's hard! That's why they call it hardy!  Hardy to configure.  I feel pretty bad installing old versions of software so that Ubuntu can play nice with samba.

Anyway, take a look at the Canterbury page.  Maybe it will help.

Steve

[cnpdk]

Thanks for taking the time to help me in this matter!

I have now read and to some extend understood your suggested reading.

Please correct me if I am wrong here but I am now of the impression that Ubuntu is trying to log on the domain in a different way than the W2k clients do. Using Likewise-open might be the reason for this.

Since my experience with modified SME servers and future updates are less than positive - to express it in a diplomatic way - I would prefer to keep the SME server as it is.

The question is now how to make Ubuntu connect to the domain in a similar way as the W2k clients. Even though this might be a bit outside the scope of this forum any ideas here would be welcome.


Even though I know that both W2k and XP both are quite old systems and that might be why they can easily connect to the SME server I still find it a bit frustrating that this is hindering me from leaving the MS platforms.

Regarding the SME server being unable to handle the Active Directory style domain controlling and this being possible using ldap I suggest implementing this in the next version or perhaps update.

Best regards
cnpdk

[linuxhelp]

Hi@ALL

Hardy Ubuntu is still beta at current status..

i prefer gutsy on production servers and workstations..

[idp_qbn]

Linuxhelp: Ubuntu 8.04 (Hardy) is LTS status - Long Term Support. In other words, it is the stable release - it passed Beta stage ages ago. In fact 8.10 is due for release next month, but that's really just 8.04 with updated packages and released as an ISO.

Sorry cnpdk, this does not answer your question.

Cheers
Ian

[linuxhelp]

Hello a short comment...

yes it shows LTS=" Long Time Search" for bugs.. if i check out for bugs at bugtracker
my hairs changes color to grey

it is like every software for production take a software and hardware which is on
market for minimum 12 month.. same as M$ Vista..XP.. if SP6 appears it may be stable..

i don't like the "colored and animation-screens" OS should be extremly safe, light and fast..

a OS for 4GB RAM & Quadcore Energyburner does not make sense...

i remember times pc programmers coded OS very efficient to ram without waste...

[jumba]

I'm not sure it'll help, but have you seen this?

http://www.ubuntugeek.com/how-to-add-ubuntu-804-to-win-server-2003-active-directory-domain.html

...maybe it's at least of interest???

[troykd]

I'm not sure it'll help, but have you seen this?

http://www.ubuntugeek.com/how-to-add-ubuntu-804-to-win-server-2003-active-directory-domain.html

...maybe it's at least of interest???

Did anyone get Ubuntu joined using this method?

Any preferred distro's for joining an SME server?

[Stefano]

Did anyone get Ubuntu joined using this method?

no, it will not work because likewise is for AD (Active directory) and not for a NT4 style domain controller (as SME)

Any preferred distro's for joining an SME server?

I'm installing a virtual opensuse to see if I can get it works

Ciao
Stefano

[troykd]

Thanks Stefano,

I find it really odd that it is so difficult, if not impossible to hook up a linux client to a linux based server.

Any current distro's that will connect?  anyone?

[Stefano]

I find it really odd that it is so difficult, if not impossible to hook up a linux client to a linux based server.

well.. pdc, join to a domain are M$ stuff.. having a linux lan, you should use other kind of "network aggregation"

Any current distro's that will connect?  anyone?

I'm waiting opensuse complete installation.. running as virtual machine on virtualbox.. stay tuned

Ciao
Stefano

[Craig Cabrey]

I have found that CentOS 5.2 authenticates to the SME Server perfectly and is actually easy to setup, with a few exceptions of course:
  1. You have to add a Fedora repo or find the rpm and dependencies for   pam_mount.

  2. The login window preferences don't let you get rid of the permissions warning; you have to manually edit the custom.conf file for that.

Other than those two things, CentOS in my opinion is much better for the enterprise, even on the desktop, than Ubuntu when it comes to joining them to a domain.

Craig

[jumba]

Craig:

How would you like to put together a small "HowTo" for setting up CentOS 5.2 work stations to add SME Server domains?

I'm quite sure many people would appreciate that.

Thank you!

[bloodshoteye]

@troykd

Any preferred distro's for joining an SME server?

For what it's worth, I followed this contrib once with Mepis 7.0 and (I think) SME 7.2 Things worked as advertised:

http://wiki.contribs.org/Mepis

I have not tried the new Mepis 8.0 Beta with SME 7.4.

Regards,

[Craig Cabrey]

Craig:

How would you like to put together a small "HowTo" for setting up CentOS 5.2 work stations to add SME Server domains?

I'm quite sure many people would appreciate that.

Thank you!

I could do that 
I'll see if I can write one up this evening.

Craig

[steever]

Craig:  Please please do this.

I've often thought that Centos Workstations attached to a SME (Centos) server would be a perfect fit.  If you can post a how to, I'll try to do a respin of Centos with the correct software added and a nice "connect to domain" script.

Ubuntu changes every release.  I had it working with 6.06.  I had Fedora 7 working with SME 7.2 but the update to 7.3 killed it.

It's such a difficult thing, but it should be so easy!  Like shoes with zippers.

Steve

[Craig Cabrey]

I'm just starting to write up a how to (yes I know, later than I said ) and I'm wondering if I should take screenshots or not.
If so, where should I upload them to?

Thanks,
Craig

PS: For reference, I saw this article from the MEPIS contrib mentioned above:
http://tech.canterburyschool.org/tech/UbuntuWorkstations/AuthenticationSetup

[steever]

Hi Craig.

Actually I'm one of the contributors to the document from Canterbury School.  Such a difficult thing to do with Ubuntu (my distro of choice). 

I am a member of the Documentation team here, so if you write your howto using a word processor and email it to me at steve.towson@gmail.com I will transfer it to the wiki for everyone's education and entertainment.

Thanks in advance.

Steve

[Stefano]

I'm just starting to write up a how to (yes I know, later than I said )

Hi Craig..

just to know if you wrote something

Tia
Ciao
Stefano

[Craig Cabrey]

I'm so sorry guys, I completely forgot about it!

I guess thats what happens when you procrastinate (on this & school )

I'll see if I can get it finished (it's mostly done) this weekend and see if anything needs to be changed for RHEL/CentOS 5.3.

Craig

[alejandro]

well.. pdc, join to a domain are M$ stuff.. having a linux lan, you should use other kind of "network aggregation"

I'm waiting opensuse complete installation.. running as virtual machine on virtualbox.. stay tuned

Ciao
Stefano

Hi stefano, I found your answer searching the forums ,
What kind of network aggregation should be used in your opinion? (besides ldap of course)
Thanks in advance
Ale

[Stefano]

Hi stefano, I found your answer searching the forums ,
What kind of network aggregation should be used in your opinion? (besides ldap of course)
Thanks in advance
Ale

well, I was referring to nis.. if you have linux clients, you can use nis to share credentials between server and clients.

I suggest you to search the forums for it (I remember something about), and read, for example, here and here

hth
Stefano

[alejandro]

Browsing the web I found this:

"NT Domain Authentication in Ubuntu HOW-TO
 by vizvayu@gmail.com
 
 I'm making this tutorial because I had to set-up Ubuntu to authenticate on my company's NT Domain, so now that it's working I thought I could share my experience.
 Any comments, ideas, and even some questions are welcome. There are several tutorials regarding this, but this one is made specially for Ubuntu.
 
 First of all, I'm assuming that you are comfortable editing text files and have a basic undestanding of a linux system, including booting in recovery mode and restoring file backups. Although this procedure is not "dangerous", it could render the authentication system unusable if you make any mistake. So please, be careful and make backups of all the files changed. =;
 
 
 To authenticate on a NT Domain, you need the following extra packets:
 
  samba
  winbind
 
 
 If I remeber correctly, the samba package comes with Ubuntu, but you have to download winbind separately from the universal repository.
 
 
 Ok, now this is a list of the files we are touching, please make backups:
 
 /etc/login.defs
 /etc/nsswitch.conf
 /etc/samba/smb.conf
 /etc/pam.d/common-account
 /etc/pam.d/common-auth
 /etc/pam.d/common-password
 /etc/pam.d/common-session
 /etc/pam.d/sudo
 
 
 Now, the first thing we are doing is setting up samba/winbind to work with the domain, so do a nano /etc/samba/smb.conf and insert the following lines:
 
 workgroup = MYDOMAIN
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 template shell = /bin/bash
 template homedir = /home/%D/%U
 winbind enum users = yes
 winbind enum groups = yes
 winbind cache time = 10
 winbind separator = +
 security = domain
 password server = *
 winbind use default domain = yes
 
 Remeber that this is just and example, you should/can change the values according to your needs.
 
 
 After that we need to make the system to use winbind. First edit /etc/nsswitch.conf and replace:
 
 
 passwd:   compat
 group:   compat
 
 with
 
 passwd: compat winbind
 group:   compat winbind
 
 
 Now go to /etc/pam.d and edit the following files:
 
 common-account:
 
 #Commented for winbind to work
 #account-required   pam_unix.so
 account-required   pam_winbind.so
 
 
 common-auth:
 
 auth   sufficient   pam_winbind.so
 auth   required   pam_unix.so nullok_secure use_first_pass
 
 
 common-session:
 
 session   required   pam_unix.so
 session   required   pam_mkhomedir.so umask=0022 skel=/etc/skel/
 
 
 sudo:
 
 auth   sufficient   pam_winbind.so
 auth   required   pam_unix.so use_first_pass
 
 
 
 And this is an extra, not really required, but as I think the default max password lenght of 8 chars sucks (I like to use passphrases), and as we are using md5, I changed it:
 
 /etc/login.defs:
 
 PASS_MAX_LEN   50
 
 
 /etc/pam.d/common-password:
 
 password   required   pam_unix.so nullok obscure min=4 max=50 md5
 
 
 
 Finally, there are only a few things left to do:
 
 Join the domain:
 
 net rpc join -D MYDOMAIN -U administrator
 
 
 Test it with:
 
 wbinfo -u
 wbinfo -g
 
 
 
 Make the domain home dir (users home dirs will be inside this one, but can be configured in smb.conf):
 
 mkdir /home/MYDOMAIN
 
 
 Reboot, and that's it, you should now have domain authentication working in Ubuntu.
 
 Just a few extra comments:
 
 Remeber that if you need one user to have administration permissions, you need to include him in the /etc/sudoers list. Use the visudo command to do this. And there's no need to prepend MYDOMAIN+ to the username since winbind is configured to use the configured domain by default.
 If anything goes wrong and you cannot login to the system, you have to reboot in recovery mode (press ESC when grub is starting) and replace the changed files from /etc/pam.d with the backups.
  I use NT4 domains, I don't think a W2k domain in native mode will work. You surely have to make some changes.
  This tutorial is just and example of how things worked for me. It's obviously not the only (or better) way to do things.  [-X "
------------------------------------------------------------------------------------
This is the link where I found the info
http://ubuntuforums.org/archive/index.php/t-5409.html

Should this work with SME domain scenario?
I'll give a try.... next week end

alejandro

[engdev]

I'd be very interested to learn how to join a Centos workstation to an SME server?

[Stefano]

I'd be very interested to learn how to join a Centos workstation to an SME server?

you should search google how to join a centos client to a samba NT domain..

[engdev]

I did but haven't got anywhere so I thought I would ask here as there was an offer on this thread of a how-to some months back from a user with a working config.
I tried these:
http://www.mail-archive.com/opensuse@opensuse.org/msg56551.html
http://www.freeos.com/articles/3842/
http://www.novell.com/communities/node/4519/adding-nt-domain-authentication-apache-and-samba-slesopensuse-servers
but to no avail.

If you have a link to a current working how-to that would be great?
Thanks

[Stefano]

engdev:

I managed to join a SME 7.4 domain with ubuntu 8.04 following the howto posted by alejandro.. but I had some issues and,  sincerely, I didn't spend so much time to test..

you could try that howto.. I suggest to use a virtual machine as you can use snapshots..

my 2c