Hello, I am trying to join my mageia laptop to my Windows Active Directory and if possible to Azure AD.\ Checking on this webpage; https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-rhel-linux-vm The problem is that the required packages cannot be found on Mageia.... like realmd it's only available on MGA5. Packages like realmd sssd oddjob oddjob-mkhomedir are not available. Are they included in other packages?. I need to use "realm join --verbose AADDSCONTOSO.COM -U 'contosoadmin@AADDSCONTOSO.COM'" to join.. Please advice. Regards Ezequiel Partida
$ urpmq -y sssd python2-sssdconfig python3-sssdconfig sssd sssd-ad sssd-client sssd-common sssd-common-pac sssd-dbus sssd-ipa sssd-kcm sssd-krb5 sssd-krb5-common sssd-ldap sssd-libwbclient sssd-libwbclient-devel sssd-nfs-idmap sssd-proxy sssd-tools sssd-winbind-idmap I have no experience with active directory. From it's description, sssd-ad may be what is needed.
CC: (none) => davidwhodgins
All online tutorials I saw today refers to a "realmd" binaries. On some RHEL8 / CentOS8 tutos, an install command: # dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation authselect-compat Some above packages are no equivalent on Mageia. Assigning this as RPM package request. Assigning this package request to all packagers collectively. On a voluntary basis, one of them might, if there are no license or other legal issues, want to integrate it to the distribution and maintain it for bug and security fixes. You might also want to join the packager team to maintain this piece of software: see https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
Summary: How to join mageia to Active Directory => Add realmd and adcli tools from RHEL8/CentOS8 to join Active Directory Domains, NEW PACKAGE REQUESTTarget Milestone: --- => Mageia 8Component: RPM Packages => New RPM package request
CC: (none) => ouaurelienAssignee: bugsquad => pkg-bugs
We do have sssd. adcli is pretty handy and would be nice to have. The current sssd version actually expects that you have it, and uses it to rotate the machine account password periodically. The net command (from Samba) for joining doesn't work reliably with newer Windows versions. The oddjob stuff isn't needed, as we have pam_mkhomedir in the pam package, and that can be used. The realmd package isn't as useful as documentation makes it sound. It does multiple things incompletely and incorrectly by default, so you end up having to fix the configuration manually anyway, it doesn't save much effort over just reading documentation and doing the configuration manually. I wouldn't be in favor of bringing this package back, at least without fixing those things. A better idea would be integrating Active Directory support into drakauth.
CC: (none) => luigiwalser
Hello everyone, Did someone took this?. I just setup my first server in Mageia and would not like to install ubuntu o fedora... I did try Rocky Linux but for my surprise it did not detected my SAS 5 Raid... Mageia 8 on the otherhand works great... I used the draktools to share my server folders but it seems I am not doing thing right since I cannot see them from Windows, but I can read windows shared folders from other servers by typing ¨domain\username¨. I setup samba as a standalone, I wonder if it should be PDC. Are there any documentation on this or on the Mandriva Docs?.. I could not find anything. Regards
This is a nice video on this. So sad that no packages are available for mageia on this. Unfortunately I don´t know hot to pack. https://www.youtube.com/watch?v=3TPgxpjgYsU&t=60s
You should file a separate bug if drakshare isn't working. Standalone and PDC don't sound right, but there are different ways of doing shares (security = share, old, deprecated, and less secure, and security = user, which is more complicated), and then there's the fact that newer Windows have SMBv1 disabled by default so you have to be using SMBv3. Like I said in Comment 3, ignore any articles or videos that tell you to use the realm command. Even when it's available, I don't recommend it unless you know what you're doing. It completely neglects to save the Samba configuration and it gets things wrong in the sssd configuration that you have to fix manually anyway. Oddjob-mkhomedir is needed if SELinux is in use and /home is a local filesystem, as pam_mkhomedir doesn't set SELinux contexts for newly created home directories correctly, but Mageia doesn't support SELinux anyway. Here's some of my notes from Mageia 5, using example.com as the domain (you'll have to change this to whatever your LAN domain is) and $admin as your AD admin account. These are snippets of the key parts of the configurations. urpmi krb5-workstation sssd samba-common /etc/resolv.conf: search example.com nameserver <AD DC IP> /etc/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM kdc_timesync = 0 dns_lookup_realm = true dns_lookup_kdc = true forwardable = true proxiable = true udp_preference_limit = 0 rdns = false /etc/samba/smb.conf: [global] workgroup = EXAMPLE realm = EXAMPLE.COM kerberos method = secrets and keytab security = ads /etc/pam.d/system-auth (each line follows the pam_unix/tcb one): auth sufficient pam_sss.so forward_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so I also had to end the account section with: account required pam_permit.so and start the session section with: session required pam_mkhomedir.so umask=0026 skel=/etc/skel/ silent /etc/nsswitch.conf: passwd: files sss shadow: files sss group: files sss /etc/sssd/sssd.conf: [sssd] domains = example.com config_file_version = 2 services = nss,pam [domain/example.com] cache_credentials = true id_provider = ad access_provider = ad min_id = 1000 ldap_id_mapping = true krb5_store_password_if_offline = true use_fully_qualified_names = false fallback_homedir = /home/%u default_shell = /bin/bash ad_gpo_ignore_unreadable = true Joining domain: # kinit $admin # net ads join -k ## OR if you have adcli built and installed locally # adcli join -U $admin -C --add-samba-data example.com # systemctl restart sssd
From https://bugs.mageia.org/show_bug.cgi?id=33265#c0 : In the past I open this package request and nothing yet is available. https://bugs.mageia.org/show_bug.cgi?id=27369 Since then I've been trying to find easy solution, and I got motivated to learn by myself how to package, I've been getting help from Katnatek and Kekepower who helped me start and guided me on how to package. At work we plan to start with some Linux Desktops for production, unfortunately Mageia doesn't have an easy way to integrate to Active directory, not just for sharing files but also to have user access control and permissions to windows share folders, on the other hand, distros like Ubuntu and Fedora have an option on the install and/or login that makes it easy to integrate to active directory as well as AD login/logout.. I wonder why mageia doesn't have it. So I plan to find the necessary tools to make mageia integrate with AD. I just hope this also gets mageia support as well. If someone knows a little on what we already have and need it will be very much appreciated. We might have the necessary tools already but there is no GUI integration yet
Summary: Add realmd and adcli tools from RHEL8/CentOS8 to join Active Directory Domains, NEW PACKAGE REQUEST => Add tools for Active Directory Integration, NEW PACKAGES REQUESTCC: (none) => lewyssmith
*** Bug 33265 has been marked as a duplicate of this bug. ***
Comment 7 above was by Ezequiel, not me! Can you start by defining what new packages you foresee? Bear in mind luigi's comments 3 & 6.
Yeah it's not really a matter of packaging something. There isn't really a magical solution out there. The framework exists in drakauth to support this. Someone just needs to do the programming work to integrate support for it (and if that's done, it can also be integrated into the installer).
(In reply to David Walser from comment #6) > You should file a separate bug if drakshare isn't working. Standalone and > PDC don't sound right, but there are different ways of doing shares > (security = share, old, deprecated, and less secure, and security = user, > which is more complicated), and then there's the fact that newer Windows > have SMBv1 disabled by default so you have to be using SMBv3. > > Like I said in Comment 3, ignore any articles or videos that tell you to use > the realm command. Even when it's available, I don't recommend it unless > you know what you're doing. It completely neglects to save the Samba > configuration and it gets things wrong in the sssd configuration that you > have to fix manually anyway. Oddjob-mkhomedir is needed if SELinux is in > use and /home is a local filesystem, as pam_mkhomedir doesn't set SELinux > contexts for newly created home directories correctly, but Mageia doesn't > support SELinux anyway. > > Here's some of my notes from Mageia 5, using example.com as the domain > (you'll have to change this to whatever your LAN domain is) and $admin as > your AD admin account. These are snippets of the key parts of the > configurations. > > urpmi krb5-workstation sssd samba-common > > /etc/resolv.conf: > search example.com > nameserver <AD DC IP> > > /etc/krb5.conf: > [libdefaults] > default_realm = EXAMPLE.COM > kdc_timesync = 0 > dns_lookup_realm = true > dns_lookup_kdc = true > forwardable = true > proxiable = true > udp_preference_limit = 0 > rdns = false > > /etc/samba/smb.conf: > [global] > workgroup = EXAMPLE > realm = EXAMPLE.COM > kerberos method = secrets and keytab > security = ads > > /etc/pam.d/system-auth (each line follows the pam_unix/tcb one): > auth sufficient pam_sss.so forward_pass > account [default=bad success=ok user_unknown=ignore] pam_sss.so > password sufficient pam_sss.so use_authtok > session optional pam_sss.so > > I also had to end the account section with: > account required pam_permit.so > > and start the session section with: > session required pam_mkhomedir.so umask=0026 skel=/etc/skel/ silent > > /etc/nsswitch.conf: > passwd: files sss > shadow: files sss > group: files sss > > /etc/sssd/sssd.conf: > [sssd] > domains = example.com > config_file_version = 2 > services = nss,pam > [domain/example.com] > cache_credentials = true > id_provider = ad > access_provider = ad > min_id = 1000 > ldap_id_mapping = true > krb5_store_password_if_offline = true > use_fully_qualified_names = false > fallback_homedir = /home/%u > default_shell = /bin/bash > ad_gpo_ignore_unreadable = true > > Joining domain: > # kinit $admin > # net ads join -k > ## OR if you have adcli built and installed locally > # adcli join -U $admin -C --add-samba-data example.com > # systemctl restart sssd Ok. I did all stepss you recommended.. the first time I replaced everything on those .config files and I was unable to login so I reinstalled and added/modified only the infor you gave me... and still didn't work. $kinit username@domain kinit: KDC reply did not match expectations while getting initial credentials So I tracked my keberos server from my windows PC using: nslookup -type=srv _kerberos._tcp.YOUR-DOMAIN Once I got the correct kerberos server I added it to /etc/nostname as well as /etc/krb5.config default_realm = EXAMPLE.COM kinit also did not gave me anything.. same error. once I used command systemctl restart sssd I got a error. There was no .config file so I created it. # systemctl restart sssd Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xeu sssd.service" for details. I created the ssd package from cauldron to test,,, mga9 has 2.8.2 while cauldron has 2.9.5. This new one did not gave me any errors but systemctl statys sssd show: systemctl status sssd ○ sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: enabled) Active: inactive (dead) Condition: start condition failed at Thu 2024-06-13 12:29:05 PDT; 2min 44s ago ├─ ConditionPathExists=|/etc/sssd/sssd.conf was not met └─ ConditionDirectoryNotEmpty=|/etc/sssd/conf.d was not met
I upgraded to cauldron to see if it has to do with older adcli and dependencies and I got the next messages... where it says user and domain I had my current username and domain name. @adcli join domain.com -U user@domain.com Password for user@domain.com: adcli: couldn't connect to domain.com domain: Couldn't get kerberos ticket for: user@domain.com: KDC reply did not match expectations
Hello everyone, Today I almost gave up on this, I installed ubuntu againt to see it working.. and I did more reseach on this. Looking at the tools that ubuntu and fedora I had to givet it a last try.. I know David Walser told me not to use realm... Sorry but I had to try. So I created the mageia package of realm, oddjob and oddjob_mkdhomedir... sssd is already in mga9 and I had to backport adcli from cauldron. A root this is what happened. realm discover -v * Resolving: _ldap._tcp.littletwinkie.com * Performing LDAP DSE lookup on: 10.10.4.5 * Performing LDAP DSE lookup on: 172.30.0.10 * Performing LDAP DSE lookup on: 192.168.1.210 * Successfully discovered: littletwinkie.com littletwinkie.com type: kerberos realm-name: LITTLETWINKIE.COM domain-name: littletwinkie.com configured: kerberos-member server-software: active-directory client-software: winbind required-package: oddjob required-package: oddjob-mkhomedir required-package: samba-winbind required-package: samba-winbind-clients required-package: samba-common-tools Then I typed: '' sudo real join -v -U ezequiel.partida@littletwinkie.com --membership-software=samba --client-software=winbind littletwinkie.com I followed the steps and at the end I got: * Successfully enrolled machine in realm. :-) Once rebooted as was able to login as user: ezequiel.partida@littletwinkie.com Also forlder /home/ezequiel.partida@littletwinkie was created. I can also access sharefolders on my file serve using dophin with smb://twinkiesvr All permissions seems to be working same as windows does. So, what you guys think?
Your user name should just be ezequiel.partida, but realm misconfigures the use_fully_qualified_names setting in sssd.conf. Unless it's changed since the last time I used it, it also fails to save the samba configuration, so the net command won't work. On modern systems, you probably need to use adcli (not net) for joining (net also has other functions). Realm uses adcli in the background. Otherwise, you can check what it did to the configuration files mentioned above to see what a mostly correct configuration is supposed to look like. We just need drakauth to replicate that, without the mistakes that realm makes.