[opensuse] Joining Windows domain during openSUSE 11.0 install
Problem 1: I decided that I would try to see how joining an Active Directory works in openSUSE 11.0. So, during install (not finished pending resolution of this), I have selected to join one. I have entered what I think is correct information. At some point, it will verify workgroup membership. A dialog box appears that lets you enter a user and password. The dialog offers that if I set both items to empty strings, I will be logged in anonymously. I have done this and it fails saying "Failed to join domain. User specified does not have administrator privileges." Sort of makes sense that an anonymous user would not have administrator privileges. But as I am joining a corporate Active Directory, I am hardly going to be given the Administrator password. Do I really need the corporate Active Directory's Administrator password for letting my Linux machine validate users against a AD server? If so, I find it hard to imagine this is ever used in a real corporate environment. So it must be something else. I do not see any more information on any consoles, nor in /var/log files. Problem 2: I am doing this during an install. This step is failing, and I do not have information to make it proceed (unless some kind soul has a useful answer for problem 1). My only choices are to proceed (can't because it fails) or to abort the installation. I seem not to be able to just skip past this step. Or am I missing something? I tried looking in the process list for a likely process to kill that may make yast proceed with the install. But there was nothing obvious. Is my install screwed? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Sep 1, 2008 at 9:26 AM, Roger Oberholtzer <roger@opq.se> wrote:
Problem 1:
I decided that I would try to see how joining an Active Directory works in openSUSE 11.0. So, during install (not finished pending resolution of this), I have selected to join one. I have entered what I think is correct information. At some point, it will verify workgroup membership. A dialog box appears that lets you enter a user and password. The dialog offers that if I set both items to empty strings, I will be logged in anonymously. I have done this and it fails saying "Failed to join domain. User specified does not have administrator privileges." Sort of makes sense that an anonymous user would not have administrator privileges. But as I am joining a corporate Active Directory, I am hardly going to be given the Administrator password. Do I really need the corporate Active Directory's Administrator password for letting my Linux machine validate users against a AD server? If so, I find it hard to imagine this is ever used in a real corporate environment. So it must be something else. I do not see any more information on any consoles, nor in /var/log files.
I believe Windows 2003 allowed a domain user to join 10 machines to the domain. After that it requires a domain admin to add the machine to the domain. Most of us that are admins, however, normally turn that feature off and only allow domain admins or some local admins to join machines to the domain. That way, we control what gets joined to our domain and some random user can't just join machines to the domain at will. And I believe in Windows 2000 and previous that you had to be a domain admin to join a machine to the domain. So, I would bet that that is what you are running into. Your admins have locked it down so a normal user can't join the machine to the domain. You really have 2 options that I see. You can call your IT department, and they might send someone to you to join your machine to the domain for you or you don't join to the domain and just enter your domain credentials when trying to connect to a domain resource. Even as the admin this last method is the one I usually employ. None of my linux boxen are joined to my domain. Don't know if any of that helps, that that's my $.02 as both a linux and windows admin. HTH Ph03nix -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2008-09-01 at 09:54 -0500, Silent Ph03nix wrote:
I believe Windows 2003 allowed a domain user to join 10 machines to the domain. After that it requires a domain admin to add the machine to the domain. Most of us that are admins, however, normally turn that feature off and only allow domain admins or some local admins to join machines to the domain. That way, we control what gets joined to our domain and some random user can't just join machines to the domain at will. And I believe in Windows 2000 and previous that you had to be a domain admin to join a machine to the domain. So, I would bet that that is what you are running into. Your admins have locked it down so a normal user can't join the machine to the domain. You really have 2 options that I see. You can call your IT department, and they might send someone to you to join your machine to the domain for you or you don't join to the domain and just enter your domain credentials when trying to connect to a domain resource. Even as the admin this last method is the one I usually employ. None of my linux boxen are joined to my domain.
Don't know if any of that helps, that that's my $.02 as both a linux and windows admin.
I will have to see if they are running 2000 or 2003. I want to validate Linux user logins via the AD server. It is the Linux box itself that I want the users to have access to with their AD passwords, not other resources on the network. I cannot track their AD passwords manually, and they are changing all the time. Currently, they have different user/password on the Linux box than on the AD box. I am trying to get away from that. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Sep 1, 2008 at 10:04 AM, Roger Oberholtzer <roger@opq.se> wrote:
On Mon, 2008-09-01 at 09:54 -0500, Silent Ph03nix wrote:
I will have to see if they are running 2000 or 2003. I want to validate Linux user logins via the AD server. It is the Linux box itself that I want the users to have access to with their AD passwords, not other resources on the network. I cannot track their AD passwords manually, and they are changing all the time. Currently, they have different user/password on the Linux box than on the AD box. I am trying to get away from that.
Understood. In that case you're most likely going to have to get your IT department involved. We tend to get snippy when people try to do things on our network without getting us involved. ;-) Ph03nix -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2008-09-01 at 10:16 -0500, Silent Ph03nix wrote:
On Mon, Sep 1, 2008 at 10:04 AM, Roger Oberholtzer <roger@opq.se> wrote:
On Mon, 2008-09-01 at 09:54 -0500, Silent Ph03nix wrote:
I will have to see if they are running 2000 or 2003. I want to validate Linux user logins via the AD server. It is the Linux box itself that I want the users to have access to with their AD passwords, not other resources on the network. I cannot track their AD passwords manually, and they are changing all the time. Currently, they have different user/password on the Linux box than on the AD box. I am trying to get away from that.
Understood. In that case you're most likely going to have to get your IT department involved. We tend to get snippy when people try to do things on our network without getting us involved. ;-)
I have just contacted them. Our parent company is very Windows-centric. Even though they use Novell for file access, and have a site license for all Novell products. There are only a very few of us 'crazy' Linux users here. The admins are sympathetic, but prefer not to get involved. I will have to grovel a bit. IIRC, I seem to recall that there was some weirdness about how many times a machine tries to join an AD. When you first attempt to join, some record is made. If you do not join the right way (as Linux would for authentication), there was some record on the AD that had to be deleted before you could try again. Sound familiar? Maybe something like this has happened. Or I am the victim of rumor. Again... -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Sep 1, 2008 at 10:23 AM, Roger Oberholtzer <roger@opq.se> wrote:
On Mon, 2008-09-01 at 10:16 -0500, Silent Ph03nix wrote:
I have just contacted them. Our parent company is very Windows-centric. Even though they use Novell for file access, and have a site license for all Novell products. There are only a very few of us 'crazy' Linux users here. The admins are sympathetic, but prefer not to get involved. I will have to grovel a bit.
IIRC, I seem to recall that there was some weirdness about how many times a machine tries to join an AD. When you first attempt to join, some record is made. If you do not join the right way (as Linux would for authentication), there was some record on the AD that had to be deleted before you could try again. Sound familiar? Maybe something like this has happened. Or I am the victim of rumor. Again...
That could be what you're running up against. In AD, a computer has an account and if you got far enough to actually create that account in AD, you would probably have to be an admin to over write that account when you try to re-join the domain. In that case, either an admin would have to provide credentials to allow joining the domain, or they would have to go into AD and delete the computer account that had already been created. Maybe instead of having them get involved, you could have them search AD for the name of the box you are trying to add and have them delete that computer account if they can't ping it and it doesn't exist. That would be my problem as an admin, I would have to do extensive checking before I remove a computer account from AD. You might try re-naming your box and seeing if you can join it then, that might tell you if you're running up against an old (or at least already existing) name in AD. One way or another, I think they're going to have to help. HTH, Ph03nix -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 01 September 2008 11:16, Silent Ph03nix wrote:
On Mon, Sep 1, 2008 at 10:04 AM, Roger Oberholtzer <roger@opq.se> wrote:
On Mon, 2008-09-01 at 09:54 -0500, Silent Ph03nix wrote:
I will have to see if they are running 2000 or 2003. I want to validate Linux user logins via the AD server. It is the Linux box itself that I want the users to have access to with their AD passwords, not other resources on the network. I cannot track their AD passwords manually, and they are changing all the time. Currently, they have different user/password on the Linux box than on the AD box. I am trying to get away from that.
Understood. In that case you're most likely going to have to get your IT department involved. We tend to get snippy when people try to do things on our network without getting us involved. ;-)
Ph03nix
Where I worked (I am retired) the IT department would have come completely unglued if anyone on the net tried to install Linux. Perhaps if one of the programmers could have made a case for it, but otherwise. . . . --doug -- Blessed are the peacemakers ... for they shall be shot at from both sides. --A.M. Greeley -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett wrote:
On Monday 01 September 2008 11:16, Silent Ph03nix wrote:
On Mon, Sep 1, 2008 at 10:04 AM, Roger Oberholtzer <roger@opq.se> wrote:
On Mon, 2008-09-01 at 09:54 -0500, Silent Ph03nix wrote:
I will have to see if they are running 2000 or 2003. I want to validate Linux user logins via the AD server. It is the Linux box itself that I want the users to have access to with their AD passwords, not other resources on the network. I cannot track their AD passwords manually, and they are changing all the time. Currently, they have different user/password on the Linux box than on the AD box. I am trying to get away from that.
Understood. In that case you're most likely going to have to get your IT department involved. We tend to get snippy when people try to do things on our network without getting us involved. ;-)
Ph03nix
Where I worked (I am retired) the IT department would have come completely unglued if anyone on the net tried to install Linux. Perhaps if one of the programmers could have made a case for it, but otherwise. . . . --doug
I am jumping into this thread a bit late and not sure if I am completely off the mark. If there is any relevance, let me add that I am currently using OpenSuSE machines as member servers in w2k ad w2k3 AD domains fine - users use AD credentials for access to file shares on OSS, for sendmail. for imap/pop3 via Cyrus, etc. All this is achieved mainly via Samba + winbind with appropriate stuff in krb, smb, nsswitch and related configs. If needed, I will more than happy to provide details. Regards, -- --Moby They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2008-09-01 at 21:56 -0500, Moby wrote:
I am jumping into this thread a bit late and not sure if I am completely off the mark. If there is any relevance, let me add that I am currently using OpenSuSE machines as member servers in w2k ad w2k3 AD domains fine - users use AD credentials for access to file shares on OSS, for sendmail. for imap/pop3 via Cyrus, etc. All this is achieved mainly via Samba + winbind with appropriate stuff in krb, smb, nsswitch and related configs. If needed, I will more than happy to provide details.
This is what I am trying to set up. But our local AD won't let my machine join. I am pretty sure I am talking to it. For example, if I try my own AD account, I get a permission error - I cannot add machines. If I use a wrong password, it says my login is bad. I think our IT guys have turned off allowing anonymous users to add machines to the AD. Or there is an old record for this machine that I cannot alter as an anonymous user. I am trying to get the IT guys to sort this out. No answer yet... -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer wrote:
This is what I am trying to set up. But our local AD won't let my machine join. I am pretty sure I am talking to it. For example, if I try my own AD account, I get a permission error - I cannot add machines. If I use a wrong password, it says my login is bad. I think our IT guys have turned off allowing anonymous users to add machines to the AD. Or there is an old record for this machine that I cannot alter as an anonymous user. I am trying to get the IT guys to sort this out. No answer yet..
Based on my experience working for multiple companies with AD domains, I'd be amazed if *any* company allowed machine accounts to be created by an anonymous user. I'm not saying it's not possible -- just that I've never seen it done that way by any company. At my present company, because of some of my assigned duties, I have Jr. Deputy Assistant SysAdmin credentials, and can join machines to our corporate domain. But I realize that's a rare privilege, and I treat it as such. As a developer with an independent streak, I sometimes get the feeling that IT is getting in my way. But if you think about it, they have a difficult and stressful job, and the less "locked down" their network is, the harder it is to keep it all running right. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2008-09-01 at 20:25 -0400, Doug McGarrett wrote:
On Monday 01 September 2008 11:16, Silent Ph03nix wrote:
On Mon, Sep 1, 2008 at 10:04 AM, Roger Oberholtzer <roger@opq.se> wrote:
On Mon, 2008-09-01 at 09:54 -0500, Silent Ph03nix wrote:
I will have to see if they are running 2000 or 2003. I want to validate Linux user logins via the AD server. It is the Linux box itself that I want the users to have access to with their AD passwords, not other resources on the network. I cannot track their AD passwords manually, and they are changing all the time. Currently, they have different user/password on the Linux box than on the AD box. I am trying to get away from that.
Understood. In that case you're most likely going to have to get your IT department involved. We tend to get snippy when people try to do things on our network without getting us involved. ;-)
Ph03nix
Where I worked (I am retired) the IT department would have come completely unglued if anyone on the net tried to install Linux. Perhaps if one of the programmers could have made a case for it, but otherwise. . . .
We were, originally, a small company that made a measurement system, based first on OS/9, then Unix (HP-UX and then SCO UnixWare), Caldera Linux, and now openSUSE Linux.. We were never a Windows or DOS shop. There was a bit of a pull to OS/2, but that passed quickly. We were then bought by a company that is today over 8200 employees. Out little group of 10 or so are the only ones not using Windows (or, the 'Standard PC', as the IT department call their canned install of Windows that is used company-wide). Well, almost company wide :) One silly thing is that as our company has a Novell site license, the IT guys have access to SUSE. They have tried it. No complaints. But it does not run Outlook and Office. That could have been sorted, if there had been a bit of initiative. The real problem is all the engineering software that is used. Our company is mainly engineering and design consultants in many areas. They exchange design data with many outside sources. So, they need to run the same software. If you were doing a design of a bridge, or a tunnel, or a part of a North Sea oil platform, would you want to risk running your software in a simulator (or even a virtual machine) that was not tested by the software maker? Would you trust importing data from one program to another? It does not take many mistakes for a company to loose their reputation. So, until engineering software is properly and officially ported to Linux, there is no chance a company like ours will convert. The risks are seen as too great. And I think they are. But our little division had Unix/Linux from the start. We don't want to convert to Windows for the same reason the Windows guys do not want to convert to Linux. The SoftWar rages on. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I got a password from the IT guys, and now the machine has joined. Works quite nice. I can only assume that anonymous users cannot add machines in this AD. Now I need to sort out Novell Netware and iPrint client stuff to get shares and printers set up. It is always something. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Office: Int +46 8-615 60 20 Mobile: Int +46 70-815 1696 And remember: It is RSofT and there is always something under construction. It is like talking about large city with all constructions finished. Not impossible, but very unlikely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Doug McGarrett -
Jerry Houston -
Moby -
Roger Oberholtzer -
Silent Ph03nix