Friday, July 16, 2010

likewise is fun

sometimes i like to make my linux boxes join active directory domains.  just because.  the whole goofing around with native kerberos setups can be a bear, especially when you have to start throwing around service account credentials on untrusted systems.  likewise is a good candidate to get around that whole hornet nest.  and!  since we're using linux, your nsswitch and pam stacks can still call ldap; just make sure you've got the correct precedence down.

here're some of my notes from a problem install...

* getting likewise best via wget; otherwise possibly will receive md5 checksum integrity errors.

* system must have perm name even if DHCP client; rhel set in /etc/sysconfig/network

* if receive error after issuing:
/opt/likewise/bin/domainjoin-cli join DOMAIN account 
Error: Lsass Error [code 0x00080047]
maybe an artifact of clocks being off, vid.:

solution; synch clocks.  try again.

* ad domain should be in fqdn and ms-dns reachable by client.


during process of joining domain, likewise complains of segfault.
system did join domain; tested domain and did see correct ad entries and krb ticket exchanges.
user able to auth as others via local system; not so via remote means.

after further debugging, noticed a lack of pam.d configuration changes.
segfault was probably related to /lib/security (pam modules); as debugging auth processes via ssh
found that the likewise provided object for pam is faulty.

the same problem is probably related to vintela subsystem not honoring ssh logons, only su commands.
solution:  remove from entries in pam.d conf files.


order of likewise re-starts:
1. netlogond
2. lwiod
3. dcerpcd
4. eventlogd
5. lsassd
* strict order


likewise nsswitch config:

passwd:     files lsass
shadow:     files
group:      files lsass

hosts:      files dns

bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files
* throw ldap entries after likewise.

otherwise, this error'll appear:

Error: Manual configuration required [code 0x0000a606]

The configuration stage 'enable/disable Likewise nsswitch module' cannot be completed automatically. Please manually perform the
following steps and rerun the domain join:

Remove the passwd_compat and/or group_compat lines and use passwd and group instead. This cannot be done automatically because your
system has a non-default nsswitch configuration.


likewise user directories conf is here: /etc/likewise/lsass.conf

order of operation, automake of dirs doesn't always work...

# mkdir user
# chown TEST-AD\\user.users user
# su - TEST-AD\\user
$ touch new
$ ls -la

drwxr-xr-x  2 TEST-AD\user     users              4096 Aug  7 15:07 .
drwxr-xr-x  3 root             root               4096 Aug  7 15:06 ..
-rw-r--r--  1 TEST-AD\user     TEST-AD\domain^users    0 Aug  7 15:07 new

time; are the clocks between client & ad controller in sync? five minute differences = expired kerberos tickets.

check resolv.conf;  is the ms-dns server present? must be able to contact to determine srv reconds

nsswitch; make certain dns is present for hosts.  files alone won't cut it.

likewise is supposed to auto-create dirs when the appropriate 
user logs on.
ssh in as test-ad\\uid ; e.g.:
ssh test-ad\\test@test01

notice the pwd.  defined test-ad account home as /opt/TEST-AD/uid
this is defined here:  /etc/likewise/lsass.conf

uids are case sensitive
uids are wacky; since they take after windows sid
if you're on the system, try:  getent passwd test-ad\\test

i've added test-ad\\test to the sudoers file

if changes are made to /etc/likewise/lsass.conf (don't) or 
if there are logon issues, issue the following:
# /sbin/service lsassd stop
# rm -f /var/lib/likewise/db/lsass-adcache.db
# rm -f /var/lib/likewise/db/lsass-local.db
# /sbin/service lsassd start

curious about domain account status:
# /opt/likewise/bin/domainjoin-cli query
Name = test01
Domain = TEST-AD.TLD
Distinguished Name = CN=TEST,CN=Computers,DC=test-ad,DC=TLD

Post a Comment