I would like to have a Clear Linux workstation authenticate through Active Directory, but I’m having issues making it work. Would someone please provide or point me in the right direction with one of the following?
A comprehensive tutorial on how to join a linux workstation to Active Directory that’s applicable to Clear Linux. Something that explains how it all works instead of “put your information here”?
A Clear Linux specific tutorial to joining an Active Directory domain.
Realmd as part of a bundle that would make joining an Active Directory domain easier.
@jdnightwalker, I can try to help you with that since I want to learn the same thing. With the help of @mesiment we can probably get you where you need to be and learn something in the process. The first thing you need to do is register your machine ID with your AD service so you can be seen on the network. We have a bundle, enterprise-login, that contains all the linux tools you need. Install that with:
@TomL, I may just need to study that Red Hat document more carefully, but I’m having a lot of trouble trying to follow the document and use the tools provided in Clear Linux to get a successful enterprise login. I keep getting to a point and then finding that one tool or another either isn’t available or isn’t set up. Some examples include having to create the /var/lib/sss/db folder for sssd, “authconfig --update --enablesssd --enablesssdauth --enablemkhomedir” requiring “restorecon” which swupd couldn’t find a bundle for, /etc/samba not existing at all, the winbindd directions resorting to the use of “realm” which is a part of realmd which I referenced previously… I kinda hit that point of “bailing out due to previous errors.” Help!!
@Eric_Duncan, I would love your help on this! I am definitely NOT an IT professional and am just learning about the intricacies of these tools and how they interact with each other.
@Eric_Duncan I would love your help as well, and would be more than willing to help in terms of testing and refinement of documentation! I love the performance of Clear Linux, and while at least one program I’ve had to compile from scratch, I’ve managed to do just about everything I’ve wanted to do with Clear Linux up until Active Directory.
I’ll probably start looking up how to go the Winbindd route without the use of realmd next week. I’ll keep an eye on the thread though for anything new!
I’ve been away for a week but right before I left, I blew out my CL laptop with some config for the AD. I’m trying to get my documents off of it so I can re-install, I was trying to fix but never could find out what was killing the boot or X. I did manage to get it to join AD, now it is just getting the PAM settings correct.
I know what you mean. I think I lost two or three VMs trying to do the same thing. It looked like I had managed to join AD, I’d put in as much information as I could given the tools I had at hand and the Red Hat instructions as a template, but whenever I rebooted to give the actual sign-in a try, I was met with a black screen and blinking cursor. I never received a login either in X or in console, and I couldn’t switch to another console using Ctrl-Alt-Fx. Either the consoles hadn’t been launched or they were all in the same state.
Okay. I tried this again, following directions from wiki.samba.org. Everything seemed to be working, until I rebooted and I was met with no logon once again. The system IS running! The system IS responding!! I know that because there’s an “intel_powerclamp: CPU does not support MWAIT” warning on tty1 and when I switch to the other ttys using ctrl-alt-F*, the warning disappears, and reappears when I return to tty1. Something about the winbind setup is preventing the login prompts AND GDM3 from presenting. It could be that it’s trying to enumerate our massive user list, but I had specified winbind not to in the smbd.conf file. Something else might be trying to enumerate it anyways. I’m going to let the VM sit for a few hours, just to see if it resolves itself. If it doesn’t, then I’ve lost another virtual HD and I’ll have to restore it from the backup. If it DOES resolve itself… Any ideas as to what I should do to make this thing play nice at login?
I don’t think this was related to 31800. For one, I was still at a text screen, it never got to X or Wayland. For another, my test I think was a day before 31800 came out. It’s also very similar to the behavior I had experienced before Thanksgiving in prior tests.
I did get hit by the 31800 bug though, yesterday morning on my laptop. I experienced a black screen with immovable mouse cursor. I’ve since moved my “production” personal equipment back to Fedora, at least temporarily, until I see how 31800 resolves itself. Meanwhile I do still have a Clear Linux VM and test machine, both of which I think are on the build just prior to 31800. I reverted the VM by restoring a backup of its virtual HDD. I’m a little afraid to boot either one up though, lest they auto-update back to 31800 and explode on me.
Okay. I restored the Virtual HDD, updated to 31810, rebooted to make sure that everything was working normally, which it was. I then created an /etc/samba folder, touched smb.conf within that folder, then ran the following command as root which seemed to add the computer to the domain and configured most everything for me:
It complained about restorecon not being an available command, asked me for my domain password, then said that it was joined to the domain but “No DNS domain configured for clearlinuxkvm. Unable to perform DNS Update.” I rebooted, and the machine was in the same state I described before. No X / Wayland, stuck on a black text screen with the MWAIT warning and a blinking cursor, responsive to Ctrl-Alt-Fx keypresses, but no login prompt to be found on any TTY.
[global]
#--authconfig--start-line--
# Generated by authconfig on 2019/12/09 14:57:37
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MYDOMAIN
password server = dc1.mydomain.edu
realm = MYDOMAIN.EDU
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = false
winbind offline logon = true
#--authconfig--end-line--
I modified the smb.conf file using Tom's as a template to read:
[global]
#--authconfig--start-line--
# Generated by authconfig on 2019/12/09 14:57:37
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MYDOMAIN
password server = dc1.mydomain.edu
realm = MYDOMAIN.EDU
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 864000
netbios name = CLEARLINUXKVM
create krb5 conf = yes
log level = 0 auth:10 winbind:10
kerberos method = secrets and keytab
client NTLMv2 auth = no
#--authconfig--end-line--
(I realize now, after testing, I may have doubled-up on the “kerberos method” line this time, but it didn’t seem to complain…)
I tested it by restarting smb, but that failed because there wasn’t a Nobody user, which I then added to the /etc/passwd file and tried again, successfully. I also restarted nmb and winbind without complaint. However, when I went to restart the VM… same result. I never receive a login prompt.
I’ll go ahead and restore the VM’s Virtual HD in preparation for another try.
I’ve not tried installing this into a VM, wonder if the host needs to have the access to the AD service or you can get there from the VM only. Also, my FQDN for my system, which is what I registered with the AD service, and the realm defined in my samba.conf are the same. So your FQDN for your device is mydomain.edu? That doesn’t seem right but like I’ve said, I’m not an expert.
Let me see if I follow, and this very well could be my problem.
You’re saying that the FQDN of your computer is xxxx.yyyyy.intel.com, the workgroup is xxxx, therefore the “name” of the computer is also xxxx? In this case I should be using clearlinuxkvm.mydomain.edu as the realm and clearlinuxkvm as the workgroup as the “name” of my computer is clearlinuxkvm?
I will have to give this a shot tomorrow…
Also I have another VM on the domain on that machine, so I know it’s possible as-is. In that case the VM is running Fedora.
I was looking over the authconfig command again, and I think that I had it right the first time. The workgroup, the password server and the realm elements were all autogenerated from authconfig, and I used the command per instructions from Red Hat, which used only the domain I wanted to join, in this case mydomain.edu (names have been changed to protect the innocent, of course.) We don’t have any subdomains, so I wouldn’t be in an xxxx.yyyy.mydomain.edu. My FQDN should be mycomputer.mydomain.edu.
I’ve been able to join other Linux OS to the domain, including Ubuntu once upon a time and my current Fedora system and a Fedora VM running alongside this Clear Linux VM. So I know it’s possible. I would just copy the settings from the Fedora install, but they used a different set of tools to bind to AD, including sssd and realmd, the latter of which I know isn’t available on Clear Linux, at least not yet.
