Can't login using a domain user

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 5
Registered: ‎09-27-2018
#1 of 6 1,009

Can't login using a domain user

Hi,

I'm having trouble to login users with centrifyad with a Samba Ad.

Can't login and su users.

- adinfo -m shows connected

- adinfo (CentrifyDC 5.5.1-400)

- Linux Debian 9.5 Cinnamon

- adquery user domain_user -A

samAccountName:domain_user
displayName:domain_user
sid:S-1-5-21-543736460-3497894086-1236349235-1107
userPrincipalName:domain_user@domain.lan
canonicalName:domain.lan/domain/diretoria/domain_user
passwordHash:x
guid:e8585021-56bf-4782-9d3f-fabd430ec4d2
accountExpires:Never
passwordExpired:false
passwordExpires:Never
passwordWillExpire:-2
nextPasswordChange:Fri Sep 28 14:07:51 2018
lastPasswordChange:Tue Sep 25 14:07:51 2018
accountLocked:false
accountDisabled:false
requireMfa:false
zoneEnabled:false
memberOf:domain.lan/Users/Domain Users,domain.lan/domain/diretoria/diretoria

 

root@efi-cli-01:/home/administrator# adinfo --diag
adinfo (CentrifyDC 5.5.1-400)

Host Diagnostics
uname: Linux efi-cli-01 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64
OS: Debian
Version: 9.0
Number of CPUs: 4

IP Diagnostics
Local host name: cli-01
Local IP Address: xxx.xxx.xxx.xxx
Not found in DNS!Make sure it is in Reverse Lookup Zone.
FQDN host name:cli-01 (domain missing?)

Domain Diagnostics
Domain: domain.lan
Subnet site: Default-First-Site-Name
DNS query for: _ldap._tcp.domain.lan
Found SRV records:
efi-srv-ad.efiltros.lan:389
Testing Active Directory connectivity:
Domain Controller: efi-srv-ad.domain.lan
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: efi-srv-ad.domain.lan:389
Domain controller type: Windows 2008 R2
Domain Name: DOMAIN.LAN
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: DOMAIN.LAN
DNS query for: _gc._tcp.DOMAIN.LAN
Testing Active Directory connectivity:
Global Catalog: efi-srv-ad.domain.lan
gc: 3268/tcp - good
Domain Controller: efi-srv-ad.domain.lan:3268
Domain controller type: Windows 2008 R2
Domain Name: DOMAIN.LAN
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: DOMAIN.LAN

Retrieving zone data from domain.lan

Could not get domain RIDs from adclient: Bad data

Computer Account Diagnostics
Joined as: cli-01.domain.lan
Trusted for Delegation: false
Use DES Key Only: false
Key Version: 4
Service Principal Names: cifs/cli-01
cifs/cli-01.domain.lan
ftp/cli-01
ftp/cli-01.domain.lan
host/cli-01
host/cli-01.domain.lan

Supported Encryption Type(s): DES-CBC-CRC
DES-CBC-MD5
RC4-HMAC
AES128-CTS-HMAC-SHA1-96
AES256-CTS-HMAC-SHA1-96

Operating System Version: 6.1:9.0


System Diagnostic
Failed to get sysinfo from adclient.


Centrify DirectControl Status
Running in connected mode

Licensed Features: Disabled

 

with I try to su domain-user I get

No passwd entry for user 'domain-user'

 

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#2 of 6 987

Re: Can't login using a domain user

[ Edited ]

Please use Microsoft Active Directory. 

Also, Windows 2008 R2 behaviors have been deprecated for a while in the newer clients.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎09-27-2018
#3 of 6 966

Re: Can't login using a domain user

This is your answer for the problem? to use MS AD???

I can't believe.

If there's a problem with CentrifyAD with SAMBA, why don't you put a msg in the download page saying that only works with Microsoft AD.

And why for some users works on one pc and on another pc with the same user doesn't work

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#4 of 6 964

Re: Can't login using a domain user

[ Edited ]

@mbenites,

 

There may be some confusion here.

We don't advertise that our software (in this case adclient, DirectControl) works with Samba acting as the Directory Service.

 

We QA against MS Active Directory.

 

We are aware of instances of people making this work, but it's not a path that we actively support (or advertise).

 

The only component related to Samba that we advertise is our adbindproxy, which is another Identity Mapper (instead of Windbind) that resolves identities based on our technology.

 

This topic is not new, if you search this forum, there are instances in which people have tried to do this, but ultimately hit some limitation.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎09-27-2018
#5 of 6 959

Re: Can't login using a domain user

Robertson, 

 

I don't think I'm making confusion, maybe the naming of the software is confusing, because I downloaded and installed adbindproxy Express to join my Linux machines to Samba AD, and when I #adinfo -v it show adinfo (CentrifyDC 5.5.1-400), as you can see it shows CentrifyDC, but I installed adbindproxy.

ADbindproxy joined my Linux client PC to the Samba AD, and after that I can login with my domain users.

I'm not using CentrifyDC as my Active Directory Service.

As I said in my first msg, I'm having problem to login with some users in some PCs. For exemple:

user1 can login to pc1 and can't login to pc2 and user2 can't login to pc1 and can login to pc2.

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#6 of 6 956

Re: Can't login using a domain user

@mbenites,

 

I think this explains it.

 

adbindproxy is meant for organizations running Microsoft Active Directory and Centrify DirectControl that want to leverage the UID/GID schemes generated by our software for Samba-based file-services environments.

 

It's not meant to be used with Samba as the Directory Service.

 

https://docs.centrify.com/en/css/2018-html/index.html#page/Samba/What%E2%80%99s_in_the_adbindproxy_p...

 

Note that if you're a commercial customer, you don't need to rely on volunteers and this forum to get support.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: