Unable to login with Domain users in the Suse linux

Linux and Unix-Like Linux
1

Hi Team,

I have joined the Suse Linux Server in my domain. I am not able update the DNS but I am able to join the domain. net ads testjoin gives me Join ok.

even net ads dns register -P results to DNS update failed.

wbinfo -u and wbinfo -g also not working.

Samba Configuration:

[global]

    workgroup = ES
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    idmap gid = 10000-20000
    idmap uid = 10000-20000
    realm = ES.AD.PP.COM
    security = ADS
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind use default domain = true
    domain logons = No
    domain master = No
    password server = hyrdswsesdc1.ES.AD.PP.COM
    wins support = No
    usershare allow guests = No

cat /etc/krb5.conf [libdefaults]

    default_realm = ES.AD.PP.COM
    clockskew = 300

[realms]

ES.AD.PP.COM = { kdc = hyscswsesdc1.es.ad.pp.com default_domain = es.ad.pp.com admin_server = hyscswsesdc1.es.ad.pp.com }

EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com }

[logging]

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

[domain_realm]

    .es.ad.pp.com = ES.AD.PP.COM

[appdefaults]

pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 try_first_pass = true external = sshd use_shmem = sshd }

I have done necessary changes in the in PAM module as well.
Can you please help me how to proceed with it.

Thanks
Naree

2

In all fairness, Windows DNS is fundamentally broken (and IMHO beyond repair) with regards to non-Windows DHCP clients. With that said, what is needed is the ability to send a GSSAPI signed update message to the Windows DNS server... otherwise you have to configure the Windows DNS server to allow insecure updates or updates by particular IP addresses (e.g. addresses you're likely to get via DHCP).

If you REALLY, REALLY want this to work well... rebuild your Windows DC/AD Server and tell it NOT to be a DNS or DHCP, let Linux handle DNS/DHCP via ISC DHCP and BIND and configure it so that it allows the DC/AD Servers to update ONLY the "_" SRV zones and secure that by IP address... the ISC DHCP server will make the DNS updates on behalf of the client using TSIG security (a published standard that Microsoft REFUSES to support).

The very latest versions of BIND support GSSAPI style updates... but there's just something evil about having EVERY client on the network update the DNS server... IMHO, it's smarter to give that task to the DHCP server. Even so, I'm not sure what client support there is for sending GSSAPI messages. With that said, you CAN manage your zones dynamically using BIND+Linux, you'd just want to secure that via TSIG or IP (even just the DNS server itself) for updates apart from the DHCP Server.

I guess it's somewhat complicated... but pretty easy if you know how DNS and DHCP work... difficult if you ASSUME that Microsoft's versions work.. because they DO NOT... at least not with non-Windows hosts.