# Error in joining to Active Directory

## treyb

I am trying to join my gentoo box to Active Directory and I get the following error/errors:

```

localhost ~ # net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Using short domain name -- UFAD

Joined 'AT-TREYLINUX' to realm 'ad.ufl.edu'

[2011/10/12 06:36:56.842488,  0] libads/kerberos.c:333(ads_kinit_password)

  kerberos_kinit_password AT-TREYLINUX$@AD.UFL.EDU failed: Preauthentication failed

DNS update failed!
```

What am I doing wrong and why cant I join Active Directory?

Here is the /etc/sambe/smb.conf file:

```
[global]

   workgroup = UFAD

   server string = Samba Server %v

   load printers = no

   log file = /var/log/samba/log.%m

   max log size = 50

   interfaces = lo eth0

   bind interfaces only = yes

   hosts allow = 10.32. 10.242. 128.

   hosts deny = 0.0.0.0/0

   encrypt passwords = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no

   smb ports = 139

   security = ADS

   realm = AD.UFL.EDU

   password server = 128.227.0.242

   winbind separator = /

   idmap uid = 10000-20000

   idmap gid = 10000-20000

   winbind enum users = yes

   winbind enum groups = yes

   template homedir = /home/%D/%U

   template shell = /bin/zsh

   client use spnego = yes

   client ntlmv2 auth = yes

   winbind use default domain = yes

   restrict anonymous = 2

   domain master = no

   local master = no

   preferred master = no

   os level = 0

   disable netbios = no

   dos charset = ASCII

   unix charset = UTF8

   display charset = UTF8

   #Uncomment if your domain controller requires LDAP signing.

   #client ldap sasl wrapping = seal

```

Here is the /etc/conf.d/net

```
# This blank configuration will automatically use DHCP for any net.*

# scripts in /etc/init.d.  To create a more complete configuration,

# please review /usr/share/doc/openrc/net.example and save your configuration

# in /etc/conf.d/net (this file :]!).

config_eth0=( "dhcp" )

dns_domain_lo="UFAD"

```

Here is /etc/hosts:

```
# /etc/hosts: Local Host Database

#

# This file describes a number of aliases-to-address mappings for the for

# local hosts that share this file.

#

# In the presence of the domain name service or NIS, this file may not be

# consulted at all; see /etc/host.conf for the resolution order.

#

# IPv4 and IPv6 localhost aliases

127.0.0.1       at-treylinux.at.ufl.edu localhost at-treylinux

```

----------

## treyb

Please I need help with this

----------

## treyb

can anyone please help me with this?

----------

## nativemad

Hi, 

it's been quite a long time since i last done that and i remember that i always got a negative answer during "net ads join", even when samba was able to use it afterwards (i suspected a timing problem back then and we've got a damn complicated ADS setup here).

-I always have a second /etc/hosts line with the external address of the machine itself, just in case. 

-I'm also unable to update the dns record manually (net ads dns register -u myaduser) due to some special restrictions here, but it works flawless for domain lookups like `wbinfo -r myaduser`.

So please check first if it is not already working!  :Wink: 

Can you post your /etc/krb5.conf?

Do you have any interesting samba logs?

Do you see anything special on the DC's eventlog?

Is the computer object within the ADS? -I had to create mine manually first...

HTH, Cheers.

----------

## treyb

Thank you for your reply, I went to retry to join Active Directory and now I get the below:

```
# net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR
```

So not sure what the issue was, I tested it the way you suggested and got (so I guess it is not already joined):

```
# wbinfo -r at-adm-treyb

Could not get groups for user at-adm-treyb
```

Here is my krb5.conf file:

```
# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5.log

[libdefaults]

   ticket_lifetime = 24000

   clock_skew = 300

   default_realm = AD.UFL.EDU

   kdc_timesync = 1

   ccache_type = 4

   forwardable = true

   proxiable = true

[realms]

   AD.UFL.EDU = {

       kdc = UFDC01.AD.UFL.EDU:88

       admin_server = UFDC01.AD.UFL.EDU:464

       default_domain = AD.UFL.EDU

}

[domain_realm]

   .AD.UFL.EDU = AD.UFL.EDU

   AD.UFL.EDU = AD.UFL.EDU

```

No krb5.log and I dont know where to find the samba log file.

----------

## nativemad

Ok, looks like kerberos itself now...

It should be "clockscrew" instead of "clock_screw", and I increased it to 600, just in case (have a look at your systems clock and probably also the one on your DC).

I do also not have the timesync variable set and have no ticket_lifetime as well as ccache_type.

You should be able to leave the ports out at the realms section, as they should get looked up via DNS.

Also i do not have an entry for kdc at all.

But i have something like that under realms (as domain would represent the short netbios domain name):

```

[realms]

        DOMAIN.WHOLE.NAME = {

                admin_server = DC.DOMAIN.WHOLE.NAME

                default_domain = DOMAIN.WHOLE.NAME

                v4_instance_convert = {

                        domain = domain.whole.name

                }

       }

```

the samba logs should get into /var/log/samba/

----------

## treyb

I changed krb5.conf to:

```
 # cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5.log

[libdefaults]

   clockskew = 600

   default_realm = AD.UFL.EDU

   kdc_timesync = 1

   forwardable = true

   proxiable = true

[realms]

   AD.UFL.EDU = {

       admin_server = UFDC01.AD.UFL.EDU

       default_domain = AD.UFL.EDU

       v4_instance_convert = {

           domain = ad.ufl.edu

       }

}

[domain_realm]

   .AD.UFL.EDU = AD.UFL.EDU

   AD.UFL.EDU = AD.UFL.EDU

```

and I still get:

# net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR

Here is a log file.

```
# cat log.smbd

[2011/10/14 09:57:35.454517,  0] printing/print_cups.c:109(cups_connect)

  Unable to connect to CUPS server /var/run/cups/cups.sock:631 - No such file or directory

[2011/10/14 09:57:35.475773,  0] printing/print_cups.c:468(cups_async_callback)

  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

[2011/10/14 09:57:35.476043,  1] smbd/server.c:282(remove_child_pid)

  Could not find child 4263 -- ignoring

[2011/10/14 09:59:35,  0] smbd/server.c:1141(main)

  smbd version 3.5.11 started.

  Copyright Andrew Tridgell and the Samba Team 1992-2010

[2011/10/14 09:59:35.277516,  0] printing/print_cups.c:109(cups_connect)

  Unable to connect to CUPS server /var/run/cups/cups.sock:631 - No such file or directory

[2011/10/14 09:59:35.277632,  0] printing/print_cups.c:468(cups_async_callback)

  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

[2011/10/14 09:59:35.896831,  0] libads/kerberos.c:333(ads_kinit_password)

  kerberos_kinit_password LOCALHOST$@AD.UFL.EDU failed: Client not found in Kerberos database

[2011/10/14 09:59:35.897111,  0] printing/nt_printing.c:627(nt_printing_init)

  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

[2011/10/14 10:02:36.051763,  0] printing/print_cups.c:109(cups_connect)

  Unable to connect to CUPS server /var/run/cups/cups.sock:631 - No such file or directory

[2011/10/14 10:02:36.051888,  0] printing/print_cups.c:468(cups_async_callback)

  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

[2011/10/14 10:02:36.052146,  1] smbd/server.c:282(remove_child_pid)

  Could not find child 2362 -- ignoring

```

----------

## nativemad

That "domain" should corresond to your netbios shortname of the domain. This should be the same as the workgroup statement in smb.conf. This should be the domainname that is shown on a windows login screen at the bottom... normally it is just the first string of the whole name. (i think that also your smb.conf's "UFAD" is a bit wrong...)

```

v4_instance_convert = {

           ad = ad.ufl.edu

       } 

```

Please start cups first, as this will not pollute your samba logs unnecessary.   :Wink: 

----------

## treyb

I changed the UFAD to AD.UFL.EDU in smb.conf and I got this:

```
net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Failed to join domain: Invalid configuration ("workgroup" set to 'AD.UFL.EDU', should be 'UFAD') and configuration modification was not requested

```

When I change it back I get:

```

net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR

```

----------

## nativemad

 *treyb wrote:*   

> I changed the UFAD to AD.UFL.EDU in smb.conf and I got this:
> 
> 

 

No no, it should be the shortname (netbios). Commonly this is just the first part of the domain string, but could be UFAD in your case!?

The default domainname looks something like "company.local". The netbios name would then be just "companyname".

On a windows host that is logged on to the domain, you can find this info in a cmd.exe window by typing "echo %USERDOMAIN%".

That link is done for kerberos with the "v4_instance_convert" declaration in krb5.conf.

Did you got the computer object within the active directory?

----------

## treyb

Everything I try I get:

```
net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Failed to join domain: failed to join domain 'AD.UFL.EDU' over rpc: NT_STATUS_INTERNAL_ERROR

```

How do I fix that, my new files are:

```
cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5.log

[libdefaults]

   clockskew = 600

   default_realm = AD.UFL.EDU

   kdc_timesync = 1

   forwardable = true

   proxiable = true

[realms]

   AD.UFL.EDU = {

       admin_server = UFDC01.AD.UFL.EDU

       default_domain = AD.UFL.EDU

       v4_instance_convert = {

           ad = ad.ufl.edu

       }

}

[domain_realm]

   .AD.UFL.EDU = AD.UFL.EDU

   AD.UFL.EDU = AD.UFL.EDU

```

and 

```
cat /etc/samba/smb.conf

[global]

   workgroup = UFAD

   server string = Samba Server %v

   load printers = no

   log file = /var/log/samba/log.%m

   max log size = 50

   interfaces = eth0

   bind interfaces only = yes

   hosts allow = 10.32. 10.242. 128.

   hosts deny = 0.0.0.0/0

   encrypt passwords = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = yes

   smb ports = 139

   security = ADS

   realm = AD.UFL.EDU

   password server = 128.227.0.242

   winbind separator = /

   idmap uid = 10000-20000

   idmap gid = 10000-20000

   winbind enum users = yes

   winbind enum groups = yes

   template homedir = /home/%D/%U

   template shell = /bin/zsh

   client use spnego = yes

   client ntlmv2 auth = yes

   winbind use default domain = yes

   restrict anonymous = 2

   domain master = no

   local master = no

   preferred master = no

   os level = 0

   disable netbios = no

   dos charset = ASCII

   unix charset = UTF8

   display charset = UTF8

   #Uncomment if your domain controller requires LDAP signing.

   #client ldap sasl wrapping = seal

```

----------

## nativemad

Please find out first what your short netbios domainname is! echo %USERDOMAIN% on windows will tell you that. Please replace the "*shortdomainname*" with that value!

I disabled a few things and added a few others....

```
default = FILE:/var/log/krb5.log 

[libdefaults] 

   clockskew = 600 

   default_realm = AD.UFL.EDU 

   #kdc_timesync = 1   <-disabled

   forwardable = true 

   proxiable = true 

   allow_weak_crypto = true  <-added, just to get sure

[realms] 

   AD.UFL.EDU = { 

       admin_server = UFDC01.AD.UFL.EDU 

       default_domain = AD.UFL.EDU 

       v4_instance_convert = { 

          *shortdomainname* = ad.ufl.edu  <-replace with your domain shortname, uncapitalized

       } 

} 

[domain_realm] 

   .ad.ufl.edu = AD.UFL.EDU  <-uncapitalized 

   ad.ufl.edu = AD.UFL.EDU   <-uncapitalized

```

```
[global] 

   workgroup = *shortdomainname*   <-replace with your domain shortname in capital letters

   server string = Samba Server %v 

   load printers = no 

   log file = /var/log/samba/log.%m 

   max log size = 50 

   interfaces = eth0 

   bind interfaces only = yes 

   #hosts allow = 10.32. 10.242. 128.    <-is this the right syntax!? disabled for now...

   #hosts deny = 0.0.0.0/0      <-really!? disabled for now... 

   encrypt passwords = yes 

   #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192    <- leave the default here, as 8192 could decrease your loopback performance...

   #dns proxy = yes   <-just leave the default here... 

   smb ports = 139    <-default values should work also here

   security = ADS 

   realm = AD.UFL.EDU 

   password server = 128.227.0.242       <- is this the IP of UFDC01.AD.UFL.EDU???

   #winbind separator = /   <-should not be necessary, at least not for joining the domain 

   idmap uid = 10000-20000 

   idmap gid = 10000-20000 

   winbind enum users = yes 

   winbind enum groups = yes 

   #template homedir = /home/%D/%U   <-disabled for now

   #template shell = /bin/zsh                <- disabled for now 

   #client use spnego = yes                <- disabled for now 

   #client ntlmv2 auth = yes                <- disabled for now 

   #winbind use default domain = yes                <- disabled for now 

   #restrict anonymous = 2                <- disabled for now 

   domain master = no 

   local master = no 

   preferred master = no 

   #os level = 0                <- disabled for now 

   disable netbios = no 

   dos charset = ASCII 

   unix charset = UTF8 

   display charset = UTF8 

   netbios name = *thesambaservershostnamehere*   <-please add your hostname!

```

----------

## treyb

OK,  I made all the changes and I got some progress:

```
# net ads join -U at-adm-treyb

Enter at-adm-treyb's password:

Using short domain name -- UFAD

Joined 'AT-TREYLINUX' to realm 'ad.ufl.edu'

DNS update failed!

```

When I run echo %USERDOMAIN% in my windows box I get UFAD.  Which is what I have been using for the most part.  I do apologize if I seem a little slow, but I am learning and I am converting from windows to linux.  I chose Gentoo because I didn't want to grab a distro that is thrown on and just run (linux for idiots style), I want to know what was being done, I wanted to learn how linux works from the ground up.

Anyways I wasn't sure if the netbios name was the box that I am actually trying to join or not, but here is the updated smb.conf.  The previous password server was what came up under as the name server in windows.  ufdc01 is the domain controller that I am supposed to use for linux.

I thank you for all your help so far and any more you are willing to give  :Wink: 

```
cat /etc/samba/smb.conf

[global]

   workgroup = UFAD

   server string = Samba Server %v

   load printers = no

   log file = /var/log/samba/log.%m

   max log size = 50

   interfaces = eth0

   bind interfaces only = yes

   #hosts allow = 10.32. 10.242. 128.

   #hosts deny = 0.0.0.0/0

   encrypt passwords = yes

   #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   #dns proxy = yes

   smb ports = 139

   security = ADS

   realm = AD.UFL.EDU

   password server = 10.5.187.250

   #winbind separator = /

   idmap uid = 10000-20000

   idmap gid = 10000-20000

   winbind enum users = yes

   winbind enum groups = yes

   #template homedir = /home/%D/%U

   #template shell = /bin/zsh

   #client use spnego = yes

   #client ntlmv2 auth = yes

   #winbind use default domain = yes

   #restrict anonymous = 2

   domain master = no

   local master = no

   preferred master = no

   #os level = 0

   disable netbios = no

   dos charset = ASCII

   unix charset = UTF8

   display charset = UTF8

   netbios name = at-treylinux

```

----------

## nativemad

No problem at all.  :Razz: 

It is really not the easiest task to start with, if one is not familiar with Domain/kerberos/dns/samba stuff...

Back to your problem: 

What do you have as nameserver in /etc/resolv.conf? Is there the domain DNS server? (This is commonly the DC itself)

By the way: I also get these DNS registering errors, even if the record is set and everything works.

What do you get with the following command?

```
net ads status -U at-adm-treyb 
```

 and/or 

```
net ads testjoin -u at-adm-treyb
```

To issue just the DNS update:

```
net ads dns register -U at-adm-treyb
```

Another sidenote: You'll get a list of options with "net ?" and "net ads ?" as well as "net ads dns ?" and so on...   :Wink: 

I suppose you don't have access to the DC's eventlog?!

----------

## treyb

 *Quote:*   

> By the way: I also get these DNS registering errors, even if the record is set and everything works.
> 
> What do you get with the following command?
> 
> Code:
> ...

 

Here is what I got:

```
# net ads status -U at-adm-treyb

Enter at-adm-treyb's password:

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

objectClass: computer

cn: at-treylinux

distinguishedName: CN=at-treylinux,OU=Workstations,OU=Computers,OU=WSG,OU=AT,OU=IT,OU=PROVOST,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu

instanceType: 4

whenCreated: 20111003112511.0Z

whenChanged: 20111018113504.0Z

uSNCreated: 826468695

uSNChanged: 851214873

name: at-treylinux

objectGUID: e78c6f00-6658-4ffb-982e-99f3fe49f63c

userAccountControl: 69632

badPwdCount: 0

codePage: 0

countryCode: 0

badPasswordTime: 129628930181485185

lastLogon: 129629118139143277

localPolicyFlags: 0

pwdLastSet: 129634112925091828

primaryGroupID: 515

objectSid: S-1-5-21-1308237860-4193317556-336787646-1057491

accountExpires: 9223372036854775807

logonCount: 31

sAMAccountName: AT-TREYLINUX$

sAMAccountType: 805306369

dNSHostName: at-treylinux.at.ufl.edu

servicePrincipalName: HOST/at-treylinux.at.ufl.edu

servicePrincipalName: HOST/AT-TREYLINUX

objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=ufl,DC=edu

isCriticalSystemObject: FALSE

dSCorePropagationData: 16010101000000.0Z

lastLogonTimestamp: 129634112930560508

```

```
# net ads testjoin -U at-adm-treyb

Join is OK

```

```
# net ads dns register -U at-adm-treyb

Enter at-adm-treyb's password:

DNS update failed!

```

If it helps I still have this when I ssh into the linux box:  localhost ~ #

```

localhost ~ # cat /etc/resolv.conf

# Generated by dhcpcd from eth0

# /etc/resolv.conf.head can replace this line

domain circa.ufl.edu

nameserver 128.227.8.88

nameserver 128.227.128.24

# /etc/resolv.conf.tail can replace this line

```

which is the nameserver that my windows server box is.  And no I don't have acces to the ufdc01 logs or anything outside of using to join the domain.

----------

## nativemad

Voilà!  :Razz: 

Your computer object is there and the testjoin seem to work also! 

wbinfo should also work now.

What else do you want to achieve?

----------

## treyb

hrmm will this be joined to AD every time I reboot?  I also want to get it to where AD user can log in to the machine.  There is also network drives that each user should have attached when they log in.

----------

## nativemad

Yes, it should be save to reboot and so on...

BUT that was just samba!! It is for letting windows users on your fileshares. You could also hook up squid to samba to get ADS authentication for a the proxy and so on.

BUT you will now have to configure pam and it's friends to be able to actually login through a shell. 

I never used it myself and know that a friend of mine had hard times getting this to work properly.

I will ask him about his configs...

----------

## treyb

Ok Even though I get OK with the net ads testjoin command I am not able to log into with Active Directory users and still get "dns failed to update".  :Sad: 

Here is what I have done so far......

```
File: /etc/nsswitch.conf

passwd:      compat winbind

shadow:      compat winbind

group:       compat winbind

mkdir /home/UFAD

cd /etc/pam.d 

mv system-auth system-auth-default 

ln -s system-auth-winbind system-auth 

```

```
File: /etc/sudoers using visudo

# sudoers file.

#

# This file MUST be edited with the 'visudo' command as root.

# Failure to use 'visudo' may result in syntax or file permission errors

# that prevent sudo from running.

#

# See the sudoers man page for the details on how to write a sudoers file.

#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification

root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands

%wheel  ALL=(ALL) ALL

# Allow "Domain Admins" from the domain "DOMAIN" to run all commands

%UFAD\\UFAD\ Admins  ALL=(ALL) ALL

# Same thing without a password

# %wheel        ALL=(ALL) NOPASSWD: ALL

# Samples

# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom

# %users  localhost=/sbin/shutdown -h now

```

I have no idea why it wont allow me to log in with my active directory account and I am not able to add the network drive.

I get:

```
mount //<server>/<share> /<mountpoint> -o username=<user>,password=<pass> 
```

And I get an error about cifs can not connect, Honestly I am at home and the computer is at work.  Am I even in the right ballpark?

----------

## nativemad

Hi, 

sorry for the delay!

My friend didn't made it with winbind/samba, he took ldap directly.

A service user (binddn in /etc/ldap.conf) of the AD is used here to access ldap, but I don't know if this is necessary, if anonymous read access is allowed to AD (which commonly is)!?

The domain is called domain.ltd and the DC is ldap.domain.ltd.

One special thing is the bas ou, where the access gets restricted to administrative users! Set it to dc=domain,dc=ltd to let every AD user log in.

Hope that helps!   :Razz: 

```
# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:         files ldap [NOTFOUND=return] db

group:          files ldap [NOTFOUND=return] db

shadow:         files ldap [NOTFOUND=return] db

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files 

bootparams:  files

automount:   files

aliases:     files 

```

```
# /etc/nsswitch.ldap

#ident $Id: nsswitch.ldap,v 2.4 2003/10/02 02:36:25 lukeh Exp $

#

# An example file that could be copied over to /etc/nsswitch.conf; it

# uses LDAP conjunction with files.

#

# "hosts:" and "services:" in this file are used only if the

# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd:      files ldap

group:      files ldap

# consult files/dns first, we will need it to resolve the LDAP host. (If we

# can't resolve it, we're in infinite recursion, because libldap calls

# gethostbyname(). Careful!)

hosts:      files dns ldap

# LDAP is nominally authoritative for the following maps.

services:   ldap [NOTFOUND=return] files

networks:   ldap [NOTFOUND=return] files

protocols:  ldap [NOTFOUND=return] files

rpc:        ldap [NOTFOUND=return] files

ethers:     ldap [NOTFOUND=return] files

# no support for netmasks, bootparams, publickey yet.

netmasks:   files

bootparams: files

publickey:  files

automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,

# here, so we can't do much here. Instead, use bbense's LDAP

# rules ofr sendmail.

aliases:    files

sendmailvars:   files

# Note: there is no support for netgroups on Solaris (yet)

netgroup:   ldap [NOTFOUND=return] files

```

```
# /etc/krb5.conf

[libdefaults]

       default_realm = DOMAIN.TLD

       dns_lookup_realm = true

       dns_lookup_kdc = true

       clockskew = 600

       forwardable = true

       proxiable = true

       allow_weak_crypto = true   

       ccache_dir=/tmp

[realms]

       DOMAIN.TLD = {

       kdc = ldap.domain.tld:88

       admin_server = ldap.domain.tld:749

       default_domain = ldap.domain.tld

       v4_instance_convert = {

       domain = domain.tld

               }

}

[domain_realm]

       .domain.tld = DOMAIN.TLD

       domain.tld = DOMAIN.TLD

[logging]

       kdc = FILE:/var/log/krb5kdc.log

       admin_server = FILE:/var/log/kadmin.log

       default = FILE:/var/log/krb5lib.log

```

```
# /etc/ldap.conf    -just the active part of the file...

# @(#)$Id: ldap.conf,v 2.49 2009/04/25 01:53:15 lukeh Exp $

host ldap.domain.ltd

# The distinguished name of the search base.

base ou=Administratve Usergroup,dc=domain,dc=ltd

binddn CN=directory search,OU=Service-Users,DC=domain,DC=ltd

bindpw topsecretuserpasswordhereinplaintext

scope sub

bind_policy soft

pam_password ad

nss_initgroups backlink

nss_schema rfc2307bis

nss_map_attribute   rfc2307attribute   mapped_attribute

nss_map_objectclass   rfc2307objectclass   mapped_objectclass

nss_map_objectclass posixAccount user

nss_map_objectclass shadowAccount user

nss_map_attribute uid sAMAccountName

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute shadowLastChange pwdLastSet

nss_map_objectclass posixGroup group

nss_map_attribute uniqueMember member

pam_login_attribute sAMAccountName

pam_filter objectclass=User

pam_password ad

tls_checkpeer yes

tls_cacertfile /etc/ssl/ad.cert

tls_cacertdir /etc/ssl/certs

tls_ciphers TLSv1

tls_cert

sasl_secprops maxssf=0

krb5_ccname  FILE:/tmp/krb5cc_0

nss_reconnect_tries 4         # number of times to double the sleep time

nss_reconnect_sleeptime 1      # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2   # how many tries before sleeping

```

```
# /etc/openldap/ldap.conf

URI     ldap://ldap.domain.ltd

BASE    dc=domain,dc=ltd

HOST    ldap.domain.ltd

TLS_CACERT     /etc/ssl/certs/adcert.pem

TLS_REQCERT     never

```

```
# /etc/pam.d/system-auth

auth            sufficient      pam_ldap.so

auth      required   pam_env.so 

auth      required   pam_unix.so try_first_pass likeauth nullok 

auth      optional   pam_permit.so

 

account         sufficient      pam_ldap.so

account      required   pam_unix.so 

account      optional   pam_permit.so

 

password        sufficient      pam_ldap.so

password   required   pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 

password   required   pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

password   optional   pam_permit.so

 

session      required   pam_limits.so 

session      required   pam_env.so 

session      required   pam_unix.so 

session      optional   pam_permit.so

```

```
# /etc/security/groups.conf

* ; * ; * ; Al0000-2400 ; floppy, audio, cdrom, video, usb, plugdev, burning, users, portage

```

----------

