-
Notifications
You must be signed in to change notification settings - Fork 93
Cannot Login with AD user #27
Comments
Running "pbis status" will give you an indication of whether the agent is joined correctly and able to communicate with AD. If that looks good I'd check that "id domain\\user" command returns information you'd expect for your user. You can also use the "pbis authenticate-user" command to confirm the actual underlying authentication is successful. I think /var/log/messages is the default log location so you may also see something useful there. |
Thanks for the quick reply. I have issued pbis status and it looks good. But, root@acp-box16:~# pbis authenticate-user --user ubuntu --domain DOMAIN.local Still, it saying invalid password, please ty again I couldn't find any PBIS related issues on syslog |
I keep forgetting this issues markup text loses the double \\. Make sure you're escaping your \ on the command line. |
Appreciate your help, But I didn't get any positive response root@acp-box16:~# id domain\user I have followed the below steps to AD login settings
I was wondering whether I have to change something on this? |
I was avoiding using real usernames in case they were sensitive but this is getting confusing. So I'm not sure if your user "ubuntu" is just an example or a real user. If it's the real username and not the Netbios domain name then it shouldn't be set as UserDomainPrefix. The UserDomainPrefix is what is prepended to the username you type in, so it should be your netbios domain name. So if your domain is DOMAIN.local with a netbios name DOMAIN, then the standard name for your AD user would be DOMAIN\ubuntu. If you set "AssumeDefaultDomain true" then you can just use ubuntu and PBIS will automatically prepend DOMAIN\. With a "UserDomainPrefix ubuntu" you will be getting ubuntu\ubuntu. To get an idea of which users are available for logon you can either try "getent passwd" or "pbis enum-users" |
Perfect. I got mistaken on the above commands and I have corrected with the help of your explanations. We, people, don't know the pbis commands like getent passwd or pbis enum-users Thanks |
The command "getent passwd" calls the name service switch to list all the users that the Linux system recognizes. If you type this command at the command prompt you should see your local and AD users listed with the names you need to type at the logon prompt. The command "pbis enum-users" is similar and will list the AD users PBIS recognizes. It talks directly with the PBIS services rather than the name service switch, so if this works but getent passwd doesn't we know there's an issue with the integration. |
We have the same problem:
We have UserDomainPrefix and AssumeDefaultDomain set as well. |
When trying to connect via ssh using myusername, this gets logged in syslog:
|
The same problem with one PC:
|
We're troubleshooting an intermittent issue (on 8.5.3.293) with the same symptoms: status and queries with pbis commands looks OK and normal, but users aren't seen on newly-bootstrapped servers. The cause seems to be
vs working:
Manually adding Our bootstrap process is highly automated (cloud VMs), so I'm not sure what the root cause may be. Yesterday, everything worked fine. Today (same vanilla base ubuntu 14.04 image, same configuration/automation), all servers so far are failing. Perhaps there's some interaction with external systems during the install process which can silently timeout, or is timing dependant in some other way? Captured output looks entirely ordinary, all commands succeed with exit code of zero. |
I'm having similar issue with version 8.5.4.334 amd64. uname -a
cat /etc/nsswitch.conf hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname protocols: db files netgroup: nis |
hello everyone
1 apt-get upgrade and after reboot I wasn't able to login with domain credential so I logged in back through local system user and run command "pbis status" it shows unknown then I tried it by restarting "lwsmd service" and the miracle is pbis status shows online, I have logged off from local user and login through domain user successfully BUT is there any permanent solution????? I hope you'll help, |
I'm able to reproduce this issue and I'm investigating |
@rbest-bt Thanks for the instant help.. I'm also trying,, please let me know if it's solved |
I discovered after a reboot and upgrade that my /opt/pbis/bin/config settings were not set. I reset those configs and have been good since. I would check those and make sure they are written properly. |
When it's in a bad state check out the lwsmd status. If there is an enumeration error, then add trustEnumerationWait to your domainjoin command See Issue #6 for more information |
Note to everyone: There is an option in the domainjoin command to set assumeDefaultDomain. Saves you from needing to set it via config tool |
Yes I have seen Issue #6 but not solved see the output systemctl status lwsmd.service |
try adding more time to trustEnumerationWaitSeconds. 45 or 60 seconds |
@dodinh LW_ERROR_PASSWORD_MISMATCH can get generated when you enter the correct password but ssh does not like a setting of the user. This is a known issue in ssh and I've seen it when the users shell is not available on the system. |
Thank you so much @rbest-bt |
We have an issue with systemd between the lwsmd and network services starting. lwsmd is trying to enumerate the domain before the network is up. We are still investigating a solution that will account for offline machine. trustEnumerationWaitSeconds is just adding a set delay. |
Having a similar issue as @dodinh : getting LW_ERROR_PASSWORD_MISMATCH in the lsass logs, in the same time, pbis authenticate-user works just fine, as well as id username. Seems like the issue is related to ssh not able to create a session for the user, like @rbest-bt described above, just don't know how to troubleshoot this issue |
@sfitsp - Try increasing the trustEnumerationWaitSeconds again. We are looking into a better solution in Issue 6 @flegance - please create a new issue for this. For now try and confirm the users environment and make sure their options are available. Also increase the logging on lsass. Wait to log the issue till later today as I'm working on a template for logging issue. |
thank you, @rbest-bt . We just got the issue resolved, hence I'm not going to create a new one for this. The issue was with /etc/ssh/sshd_config - we had AllowedUser setting configured and it was restricting everybody else. The way we found it out - looked into the /var/log/secure log, and saw this: |
@rbest-bt Thank youi It's working but I think its not a proper solution because we have wait for login and sometimes needs to restart... |
Yes we are working on a better fix. Follow Issue 6 for updates |
team the following error shows by lwsmd Jul 21 01:18:29 ubuntu lsass[905]: [lsass] Fatal error enumerating trusts for domain SMDOMAIN.COM. Error was ERROR_GEN_FAILURE (31) |
HI all, I have a domain controller installed with 2016 server and having ubuntu\windows machines as clients. I have integrated ubuntu machines using PBIS. My question is what can I apply the same group policy configured over domain controller to Ubuntu machines? Or do I need to have more configurations on PBIS |
Refer to answer in #129 |
I am facing error, can you please have look.....i am using over ubuntu 18 unicode@client1:~$ sudo /opt/pbis/bin/domainjoin-cli --loglevel info --logfile . join UNICODESYSTEMS.IN Administrator Administrator@UNICODESYSTEMS.IN's password: Error: ERROR_CONNECTION_REFUSED [code 0x000004c9] 20190116194526:ERROR:ERROR_CONNECTION_REFUSED [ERROR_CONNECTION_REFUSED] Stack Trace: |
I would confirm the domain is resolving to the correct DC IP. If you need more assistance please open a new issue. |
yes domain is resolving unicode@client1:~$ nslookup
Name: unicodesystems.in
Name: ad.unicodesystems.in
|
I am working as system admin and this is the best way for joining domain. here you can find the full installation file with setup by setup. download the pbis file and save it in download folder. Installation of PBIS and joining domain in ubuntu 14.04 & 16.04 ( may be work for 18.04)
for ubuntu 18.04 only
nameserver ( your domain server IP )
my domain name is - example
*change the line that reads: session sufficient pam_lsass.so to session [success=ok default=ignore] pam_lsass.so if its not found the (session sufficient pam_lsass.so) run this command
Finally edit lightdm configuration file by executing the following command
delete everything and add this lines. [SeatDefaults] if you got error - "no user found" just run this command.
add this command extra for ubuntu 16.04
find this GRUB_CMDLINE_LINUX="" change this to GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
Uninstalling PBIS
|
thank you so so much
…On Wed, Jan 23, 2019 at 8:37 PM Mohiyoddin ***@***.***> wrote:
I am working as system admin and this is the best way for joining domain.
here you can find the full installation file with setup by setup. download
the pbis file and save it in download folder.
Installation of PBIS and joining domain in ubuntu 14.04 & 16.04 ( may be
could work for 18.04)
-
sudo apt-get update
-
sudo apt-get upgrade
-
sudo apt-get install ssh
-
Download the file and save it in downloads folder
-
cd Downloads/
-
sudo chmod +x pbis-open-8.0.0.2016.linux.x86_64.deb.sh or ( file name )
-
sudo ./pbis-open-8.0.0.2016.linux.x86_64.deb.sh (or file name)
(In ubuntu 18.04 change 'nameserver ip' not for ubuntu 14.04 & 16.04 version)
-
sudo nano /etc/resolv.conf
nameserver ( your domain server IP )
search ( your domain name )
- sudo domainjoin-cli join dom.example.com Administrator ( close GUI
login )
my domain name is - example
and full name - dom.example.com
-
sudo /opt/pbis/bin/config UserDomainPrefix example
-
sudo /opt/pbis/bin/config AssumeDefaultDomain true
-
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
-
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
-
sudo apt-get update
-
sudo nano /etc/pam.d/common-session
*change the line that reads:
session sufficient pam_lsass.so
to
session [success=ok default=ignore] pam_lsass.so
if its not found the (session sufficient pam_lsass.so) run this command
- sudo pam-auth-update
Finally edit lightdm configuration file by executing the following command
- sudo nano /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf
delete everything and add this lines.
[SeatDefaults]
greeter-session=unity-greeter
allow-guest=false
greeter-show-remote-login=false
greeter-show-manual-login=true
- sudo reboot
if you got error - "no user found" just run this command.
- sudo service lwsmd restart
Uninstalling PBIS
-
sudo /opt/pbis/bin/domainjoin-cli leave
-
sudo /opt/pbis/bin/uninstall.sh uninstall
add this command extra for ubuntu 16.04
- sudo nano /etc/default/grub
find this
GRUB_CMDLINE_LINUX=""
change this to
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
-
sudo update-grub
-
sudo reboot
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#27 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ARtUD_hvJJHirygYIpPRFG5-y7Nn6ss2ks5vGHrHgaJpZM4M7Mtl>
.
--
*Yours Sincerely,*
*Pankaj Gupta*
*DevOps|Linux|Server Admin*
*www.solutionithub.com <http://www.solutionithub.com>*
*P: +91 8090856544*
*P: +91 8906060639*
*P: +91 8299011809*
<https://in.linkedin.com/in/pankaj-gupta-a6426268>
<https://www.facebook.com/pankajagrahariofficial>
Public Profile
|
We hope to add greeter-show-manual-login=true in to part of the install process in the future. This is something that impacts ubuntu only. I would like to know the problem that is getting addressed with:
|
What error are you getting? |
Hi ,
I have installed and configured PowerBroker Identity Services Open 8.5.0.153 successfully but I cannot login to the ubuntu desktop using the AD user.
Then I have issued a command
$ domainjoin-cli query
I got
Name = acp-box16
Domain = DOMAIN.LOCAL
Distinguished Name = CN=ACP-BOX16,CN=Computers,DC=DOMAIN,DC=local
Also, the computer name is added to the active directory.
I'm not sure why I cannot login to the desktop with this AD user.
Should I configure anything on AD itself or? Any help will be appreciated.
Thanks
Amal
The text was updated successfully, but these errors were encountered: