here're some of my notes from a problem install...
* getting likewise best via wget; otherwise possibly will receive md5 checksum integrity errors. * system must have perm name even if DHCP client; rhel set in /etc/sysconfig/network HOSTNAME=fqdn * if receive error after issuing: /opt/likewise/bin/domainjoin-cli join DOMAIN account Error: Lsass Error [code 0x00080047] maybe an artifact of clocks being off, vid.: http://www.likewise.com/community/index.php/forums/viewthread/269/ solution; synch clocks. try again. * ad domain should be in fqdn and ms-dns reachable by client.
...
during process of joining domain, likewise complains of segfault. system did join domain; tested domain and did see correct ad entries and krb ticket exchanges. user able to auth as others via local system; not so via remote means. after further debugging, noticed a lack of pam.d configuration changes. segfault was probably related to /lib/security (pam modules); as debugging auth processes via ssh found that the likewise provided object for pam is faulty. the same problem is probably related to vintela subsystem not honoring ssh logons, only su commands. solution: remove pam_vas3.so from entries in pam.d conf files.
...
order of likewise re-starts: 1. netlogond 2. lwiod 3. dcerpcd 4. eventlogd 5. lsassd
* strict order
...
likewise nsswitch config: passwd: files lsass shadow: files group: files lsass hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: files automount: files aliases: files
* throw ldap entries after likewise. otherwise, this error'll appear: Error: Manual configuration required [code 0x0000a606] The configuration stage 'enable/disable Likewise nsswitch module' cannot be completed automatically. Please manually perform the following steps and rerun the domain join: Remove the passwd_compat and/or group_compat lines and use passwd and group instead. This cannot be done automatically because your system has a non-default nsswitch configuration.
...
likewise user directories conf is here: /etc/likewise/lsass.conf order of operation, automake of dirs doesn't always work... # mkdir user # chown TEST-AD\\user.users user # su - TEST-AD\\user $ touch new $ ls -la drwxr-xr-x 2 TEST-AD\user users 4096 Aug 7 15:07 . drwxr-xr-x 3 root root 4096 Aug 7 15:06 .. -rw-r--r-- 1 TEST-AD\user TEST-AD\domain^users 0 Aug 7 15:07 new...
time; are the clocks between client & ad controller in sync? five minute differences = expired kerberos tickets.
check resolv.conf; is the ms-dns server present? must be able to contact to determine srv reconds
nsswitch; make certain dns is present for hosts. files alone won't cut it.
...
likewise is supposed to auto-create dirs when the appropriate user logs on. ssh in as test-ad\\uid ; e.g.: ssh test-ad\\test@test01 notice the pwd. defined test-ad account home as /opt/TEST-AD/uid this is defined here: /etc/likewise/lsass.conf uids are case sensitive uids are wacky; since they take after windows sid if you're on the system, try: getent passwd test-ad\\test TEST-AD\test01:x:1032324191:1032323585:qa:/opt/TEST-AD/test:/bin/bash i've added test-ad\\test to the sudoers file if changes are made to /etc/likewise/lsass.conf (don't) or if there are logon issues, issue the following: # /sbin/service lsassd stop # rm -f /var/lib/likewise/db/lsass-adcache.db # rm -f /var/lib/likewise/db/lsass-local.db # /sbin/service lsassd start curious about domain account status: # /opt/likewise/bin/domainjoin-cli query Name = test01 Domain = TEST-AD.TLD Distinguished Name = CN=TEST,CN=Computers,DC=test-ad,DC=TLD
No comments:
Post a Comment