Realmd and Active Directory

I would like to have a Clear Linux workstation authenticate through Active Directory, but I’m having issues making it work. Would someone please provide or point me in the right direction with one of the following?

  1. A comprehensive tutorial on how to join a linux workstation to Active Directory that’s applicable to Clear Linux. Something that explains how it all works instead of “put your information here”?

  2. A Clear Linux specific tutorial to joining an Active Directory domain.

  3. Realmd as part of a bundle that would make joining an Active Directory domain easier.

Thanks!!

@jdnightwalker, I can try to help you with that since I want to learn the same thing. With the help of @mesiment we can probably get you where you need to be and learn something in the process. The first thing you need to do is register your machine ID with your AD service so you can be seen on the network. We have a bundle, enterprise-login, that contains all the linux tools you need. Install that with:

sudo swupd bundle-add enterprise-login

We also have several articles using samba:

https://docs.01.org/clearlinux/latest/tutorials/smb-desktop.html

and

https://docs.01.org/clearlinux/latest/tutorials/smb.html

This is a start at least…I’m not familiar with realmd and will look into it. One source I am looking at is this for education:

4 Likes

@TomL, I may just need to study that Red Hat document more carefully, but I’m having a lot of trouble trying to follow the document and use the tools provided in Clear Linux to get a successful enterprise login. I keep getting to a point and then finding that one tool or another either isn’t available or isn’t set up. Some examples include having to create the /var/lib/sss/db folder for sssd, “authconfig --update --enablesssd --enablesssdauth --enablemkhomedir” requiring “restorecon” which swupd couldn’t find a bundle for, /etc/samba not existing at all, the winbindd directions resorting to the use of “realm” which is a part of realmd which I referenced previously… I kinda hit that point of “bailing out due to previous errors.” Help!!

Thanks!

2 Likes

I’ve been meaning to work on this as well. I’ll try to carve out some time and see if I can get it work and help with the documentation.

E.

2 Likes

@Eric_Duncan, I would love your help on this! I am definitely NOT an IT professional and am just learning about the intricacies of these tools and how they interact with each other.

2 Likes

@Eric_Duncan I would love your help as well, and would be more than willing to help in terms of testing and refinement of documentation! I love the performance of Clear Linux, and while at least one program I’ve had to compile from scratch, I’ve managed to do just about everything I’ve wanted to do with Clear Linux up until Active Directory.

I’ll probably start looking up how to go the Winbindd route without the use of realmd next week. I’ll keep an eye on the thread though for anything new!

May you all have a Happy Thanksgiving!

I’ve been away for a week but right before I left, I blew out my CL laptop with some config for the AD. I’m trying to get my documents off of it so I can re-install, I was trying to fix but never could find out what was killing the boot or X. I did manage to get it to join AD, now it is just getting the PAM settings correct.

Note, use a VM for testing. :slight_smile:

Eric

I know what you mean. I think I lost two or three VMs trying to do the same thing. It looked like I had managed to join AD, I’d put in as much information as I could given the tools I had at hand and the Red Hat instructions as a template, but whenever I rebooted to give the actual sign-in a try, I was met with a black screen and blinking cursor. I never received a login either in X or in console, and I couldn’t switch to another console using Ctrl-Alt-Fx. Either the consoles hadn’t been launched or they were all in the same state.

Okay. I tried this again, following directions from wiki.samba.org. Everything seemed to be working, until I rebooted and I was met with no logon once again. The system IS running! The system IS responding!! I know that because there’s an “intel_powerclamp: CPU does not support MWAIT” warning on tty1 and when I switch to the other ttys using ctrl-alt-F*, the warning disappears, and reappears when I return to tty1. Something about the winbind setup is preventing the login prompts AND GDM3 from presenting. It could be that it’s trying to enumerate our massive user list, but I had specified winbind not to in the smbd.conf file. Something else might be trying to enumerate it anyways. I’m going to let the VM sit for a few hours, just to see if it resolves itself. If it doesn’t, then I’ve lost another virtual HD and I’ll have to restore it from the backup. If it DOES resolve itself… Any ideas as to what I should do to make this thing play nice at login?

Thanks!!!

I’m wondering if this is related to the boot issue in 31800. What is your current version of clear?

I don’t think this was related to 31800. For one, I was still at a text screen, it never got to X or Wayland. For another, my test I think was a day before 31800 came out. It’s also very similar to the behavior I had experienced before Thanksgiving in prior tests.

I did get hit by the 31800 bug though, yesterday morning on my laptop. I experienced a black screen with immovable mouse cursor. I’ve since moved my “production” personal equipment back to Fedora, at least temporarily, until I see how 31800 resolves itself. Meanwhile I do still have a Clear Linux VM and test machine, both of which I think are on the build just prior to 31800. I reverted the VM by restoring a backup of its virtual HDD. I’m a little afraid to boot either one up though, lest they auto-update back to 31800 and explode on me.

31810 is available now and I believe that resolves the issue in 31800.

Okay. I restored the Virtual HDD, updated to 31810, rebooted to make sure that everything was working normally, which it was. I then created an /etc/samba folder, touched smb.conf within that folder, then ran the following command as root which seemed to add the computer to the domain and configured most everything for me:

authconfig --enablewinbind --enablewinbindauth --smbsecurity ads --smbworkgroup=MYDOMAIN --smbrealm MYDOMAIN.EDU --smbservers=dc1.mydomain.edu --krb5realm=MYDOMAIN.EDU --enablewinbindoffline --enablewinbindkrb5 --winbindtemplateshell=/bin/bash --winbindjoin=myadminaccount --update --enablelocauthorize

It complained about restorecon not being an available command, asked me for my domain password, then said that it was joined to the domain but “No DNS domain configured for clearlinuxkvm. Unable to perform DNS Update.” I rebooted, and the machine was in the same state I described before. No X / Wayland, stuck on a black text screen with the MWAIT warning and a blinking cursor, responsive to Ctrl-Alt-Fx keypresses, but no login prompt to be found on any TTY.

Thoughts?

What’s the contents of samba.conf in your /etc/samba directory? Feel free to hide appropriate content as necessary. This is my samba.conf file:

[global]
security=ads
realm=XXXX.YYYYY.INTEL.COM
workgroup=XXXX
winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
winbind cache time = 864000
netbios name = TZZZZZZ-DESK
create krb5 conf = yes
log level = 0 auth:10 winbind:10
kerberos method = secrets and keytab
client NTLMv2 auth = no

Let me know if you want the contents of any other config files