Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 01 December 2024, 04:27:29 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  Join AD EFW 2.3
0 Members and 3 Guests are viewing this topic. « previous next »
Pages: 1 [2] 3 4 Go Down Print
Author Topic: Join AD EFW 2.3  (Read 253215 times)
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #15 on: Tuesday 10 November 2009, 06:23:25 am »

I've done this 3-4 times now heres what i do:

1. install efw
2. Do the join domain (This will fail, but it saves settings to the server, and creates host entries)
3. Goto console or ssh to server
4. edit the file /var/efw/proxy/settings, remove the NTLM_BDC line
5. run /usr/local/bin/restartsamba.py (this should generate your winbind.conf)
6. Edit /etc/samba/winbind.conf Change the following: Workgroup = <domain short Name> to Workgroup = <Domain Full name, (the same as your realm)>
7. Run: net ads join -U<username> -s /etc/samba/winbind.conf (this will join the pc to the domain. It will say Joined or failed)
8. Wait 15 minutes. This will allow the domain controllers to replicate the new computer login(yes you do have to wait, annoying but take that up with microsoft.)
9. Test by running: wbinfo --configfile=/etc/samba/winbind.conf -t (if it suceeded your golden, you should now be able to see your groups in efw)
Logged
bodo.olschewski
Jr. Member
*
Offline Offline

Posts: 5


« Reply #16 on: Tuesday 10 November 2009, 06:27:07 am »

this way it works here:

pword server = DC.domain.local
realm = domain.local

workgroup = domain
Logged
njtd
Jr. Member
*
Offline Offline

Posts: 2


« Reply #17 on: Tuesday 10 November 2009, 06:42:59 am »

I understand corrent?

realm = FQDN
workgroup = NETBIOS

Thanks
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #18 on: Tuesday 10 November 2009, 06:44:47 am »

Thanks for being patient.  This is such a pain, especially when my 2.2 went so smooth.

I'm still not able to join.

I know I've run into situations before where it was case sensitive...could that be it?

I tried removing my DNS entry just to see what happened and now when I try to join it's back to "Failed to join domain: Invalid configuration and configuration modification was not requested"
(Doesn't matter if I run it from ssh or try to join from the web interface.)

Putting the DNS entry back I get "Failed to join domain: failed to find DC for domain DOMAIN.LOCAL"  This worries me too because I've changed from Uppercase to lower, but it doesn't reflect that.
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #19 on: Tuesday 10 November 2009, 06:54:27 am »

entourage, check your /etc/hosts and make sure your dc's have entries in there, if not create them.
Next go back to the web interface, goto Services->Time Server, Check over ride default time servers, and put the IP addresses of the DC's in there. save, goback to the page, and hit synchronize now.

Your Workgroup should be domain.local ex constco.com NOT JUST Constco.

Try the net join again from below. If it doesnt work let me know
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #20 on: Tuesday 10 November 2009, 07:03:06 am »

Still fail.

I had previously made sure my time was sync'd, but went ahead and sync'd it with the DC, just for good measure.

Here's a copy of my /etc/hosts:

10.0.0.1   DC.domain.local        DC
127.0.0.1   localhost.localhost localhost
10.0.0.14   EFW23.domain.local EFW23
10.0.0.1   dc.domain.local        dc
10.0.0.14   wpad.domain.local  wpad

I'm still concerned because when I run the restartsamba.py it replaces my domain.local with DOMAIN.LOCAL and I can't for the life of me locate where that's coming from.  It's not in smb.conf, it's not in /proxy/settings, I'm just not sure.
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #21 on: Tuesday 10 November 2009, 07:13:15 am »

First we are not using the smb.conf file. if you have it remove it. (winbind.conf is the same format but endian decided to call the configuration something other than the default)

Whats the output of this command:

net ads join -U <admin_user> -s winbind.conf -d 5
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #22 on: Tuesday 10 November 2009, 07:18:29 am »

Ok, renamed smb.conf to smb.conf.old

Here's the output:

Code:
[2009/11/09 15:11:28,  5] lib/debug.c:debug_dump_status(407)  INFO: Current debug levels:
    all: True/5
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    pdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
[2009/11/09 15:11:28,  3] param/loadparm.c:lp_load_ex(8753)  lp_load_ex: refreshing parameters
[2009/11/09 15:11:28,  3] param/loadparm.c:init_globals(4597)  Initialising global parameters
[2009/11/09 15:11:28,  3] param/params.c:pm_process(569)  params.c:pm_process() - Processing configuration file "winbind.conf"
[2009/11/09 15:11:28,  3] param/loadparm.c:do_section(7416)  Processing section "[global]"
  doing parameter security = ADS
  doing parameter pword server = DC.DOMAIN.LOCAL
  doing parameter realm = DOMAIN.LOCAL
  doing parameter syslog only = Yes
Enter administrator's pword:
Failed to join domain: failed to find DC for domain DOMAIN.LOCAL
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #23 on: Tuesday 10 November 2009, 07:26:12 am »

That is the same error i receive when not setting the workgroup correctly.

copy and paste this config into your winbind.conf, change stuff in <> to match your info:

[global]
security = ADS
password server = <Domain Controller FQDN(make sure its in hosts)>
realm = <Domain Name FQ>

# handle logging
syslog only = Yes
log level = 0 winbind:2
syslog = 1
max log size = 1000

local master = no
hosts allow = <Allowed Subnets(green)>
interfaces = br0 br2
bind interfaces only = yes
preferred master = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

workgroup = <Domain Name FQ>
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator = +
unix charset = UTF8

ntlm auth = Yes
min protocol = NT1
client NTLMv2 auth = Yes
lm announce = No


run: ads joint -U<username> -s/etc/samba/winbind.conf -d5
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #24 on: Tuesday 10 November 2009, 07:46:11 am »

Unfortunately more of the same.

I copied your winbind.conf and edited the servers.  same message. (failed to find DC for domain DOMAIN.LOCAL)

I can ping the DC, so I know it sees it, however I still get the same message if I type in an incorrect password when it prompts.  (Of course I've tried more than one domain admin account.)

I think since this is running on a VM, I'm going to grab the old 2.2 iso and try the installation again, so I can confirm that at least it will connect.

I'll report back.
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #25 on: Tuesday 10 November 2009, 08:05:27 am »

Uhh sounds silly, but your not using domain.local for your domain name are you? It should be your domain name.

Otherwise I'de start from a fresh install again and try the config again.
Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #26 on: Tuesday 10 November 2009, 08:08:16 am »

Nothing sounds silly at this point.   Wink

Yeah, I'm just changing it from the real one before I paste.
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #27 on: Tuesday 10 November 2009, 09:06:05 am »

Noticed that after i joined the domain (#7) i missed two steps, you need to stop/start winbind:


I've done this 3-4 times now heres what i do:

1. install efw
2. Do the join domain (This will fail, but it saves settings to the server, and creates host entries)
3. Goto console or ssh to server
4. edit the file /var/efw/proxy/settings, remove the NTLM_BDC line
5. run /usr/local/bin/restartsamba.py (this should generate your winbind.conf)
5.5 Run /etc/init.d/winbind stop
6. Edit /etc/samba/winbind.conf Change the following: Workgroup = <domain short Name> to Workgroup = <Domain Full name, (the same as your realm)>
7. Run: net ads join -U<username> -s /etc/samba/winbind.conf (this will join the pc to the domain. It will say Joined or failed)
7.5 Run /etc/init.d/winbind start
8. Wait 15 minutes. This will allow the domain controllers to replicate the new computer login(yes you do have to wait, annoying but take that up with microsoft.)
9. Test by running: wbinfo --configfile=/etc/samba/winbind.conf -t (if it suceeded your golden, you should now be able to see your groups in efw)

Logged
njtd
Jr. Member
*
Offline Offline

Posts: 2


« Reply #28 on: Tuesday 10 November 2009, 01:39:04 pm »

I have success join the domain with npeterson step but I must modify line

pword server = <DC Hostname eg: DC1>
realm = <Domain Name FQ eg: ABC.COM>
workgroup = <NETBIOS eg: ABC>

Thank you very much npeterson.


Logged
entourage
Full Member
***
Offline Offline

Posts: 48


« Reply #29 on: Wednesday 11 November 2009, 02:05:49 am »

Ok, well, to prove I'm not crazy I just loaded up a VM with 2.2 and joined the domain successfully the first try.

npeterson, I added the extra step on my clean 2.3 install and it said that /etc/init.d/winbind stop [Failed]
Don't know if that matters?
Logged
Pages: 1 [2] 3 4 Go Up Print 
« previous next »
Jump to:  

Page created in 0.188 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com