Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: basselope on March 27, 2018, 04:29:27 pm

Title: [SOLVED] How to set up domain login to Zentyal DC from Linux (Mint) clients?
Post by: basselope on March 27, 2018, 04:29:27 pm
Hello,

I can successfully add a Linux workstation to the Zentyal domain using the instructions at

https://wiki.zentyal.org/wiki/Authenticating_Linux_client_against_Samba

However, I am having some trouble figuring out how to allow ANY existing domain user to login from any Linux client.

We are a small setup with a mix of Windows and Linux and several of us work part-time, hence we need to share our computers among a few users.

I have installed system-config-samba (if it doesn't start, use sudo touch /etc/libuser.conf) on the clients and had some tries but the help is insufficient.

At the moment, I can only login with local users I have created.
Though I can manually get the Kerberos tickets with kinit, if I try and login with a domain account that does not have a local account on the client yet, I get "wrong password" message.

What I want to achieve is

- credentials verified against Zentyal
- if good, user logged in and local user with some /homedir created if it's the first login
- if not good, failback to some low privilege local account

Can someone please explain me how to configure the server and user settings in system-config-samba ?



Title: Re: How to set up domain login to Zentyal DC from Linux (Mint) clients?
Post by: ovecka on March 27, 2018, 06:45:39 pm
The easiest way to join a Linux computer to a Zentyal PDC is through pbis-open package.

Files:
https://github.com/BeyondTrust/pbis-open/releases

Guides:
https://github.com/BeyondTrust/pbis-open/wiki/Documentation

You can find more straightforward step by step guides on the web.

https://linoxide.com/ubuntu-how-to/configure-pbis-join-ubuntu-windows-ad/
.
.
Title: Re: How to set up domain login to Zentyal DC from Linux (Mint) clients?
Post by: basselope on March 28, 2018, 02:08:13 pm
Thanks ovecka:

I checked the package and it does do a good job joining a machine to the domain + is more straightforward.

However, it does not solve the question of how allowing any valid domain user to login from that machine.
Title: Re: How to set up domain login to Zentyal DC from Linux (Mint) clients?
Post by: ovecka on March 30, 2018, 12:45:20 pm
If I understand it correctly, you successfuly joined the domain with pbis-open but are unable to login to the workstation using AD credentials. You can see the connection in /opt/pbis/bin/get-status and that workstation is visible in the Zentyal web interface. Is that right?

If that's the case, there should be no problem for your users to login. Of that there might be two causes:

1) You used bash to join the domain (domainjoin-cli) and didn't specify the domain prefix:
Code: [Select]
domainjoin-cli join yourdomain.com adminuser
Test that by trying to log in from the terminal:
Code: [Select]
su - testuser
No passwd entry for 'testuser'

vs (mind the capitals and double backslash)

Code: [Select]
su - YOURDOMAIN\\testuser
$

You can either log by using the domain prefix or (which is easier) run pbis-open config to handle it:
Code: [Select]
sudo /opt/pbis/bin/config AssumeDefaultDomain true

2) Your users can actually login from the bash but your greeter (Login screen) doesn't show them or allow them to specify their username.

On my Mint 18 machines I solve this by adding:

Code: [Select]
greeter-hide-users=true
greeter-show-manual-login=true

to /etc/lightdm/lightdm.conf.d/70-linuxmint.conf.


Also, keep in mind that there is a good habit in setting bash as the default shell and setting user's home directories to something more appropriate (%H/%U in my case) as described in the guide on linoxide. Suit that to your liking.
 










Title: Re: How to set up domain login to Zentyal DC from Linux (Mint) clients?
Post by: basselope on April 03, 2018, 04:09:41 pm
Thanks!

It was actually easier than expected but your advice put me on the right track.

Looks like Kerberos was having a hiccup trying to generate TGTs because the users existed on the domain but they had never logged in from the command line.

As the domain is not in full production I have been able to issue password changes on the domain controller + connect to the DC via ssh with each user.

This has generated the initial info and I can now login with any valid domain user from my Linux machines as well.