Authenticate Ubuntu 20.04 against Active Directory

Forum home -> Tech Talk -> View topic

Post

Posted
Rating:
#483 (In Topic #98)
Avatar
Standard member

msktutil errors

Really nice howto video, thanks! (Authenticate Ubuntu 19.04 against Active Directory)

I am attempting to apply your method using an Ubuntu 20.04 desktop but can't get past the msktutil portion which produces the following messages:

Error: Keytab write error: No such file or directory!
Error: krb5_kt_add_entry failed failed (No such file or directory)

To the best of my understanding, the command should result in the my-keytab.keytab file being created. Are you aware of some change in 20.04 that would cause this?

AngusBogus
Online now: No Back to the top

Post

Posted
Rating:
#545
Avatar
Standard member
I encountered the same issue, which I was able to resolve by temporarily granting all users write access to the /etc directory.  
Online now: No Back to the top

Post

Posted
Rating:
#547
Avatar
Standard member
Hello,

I'm technology teacher in a middle school in France / Normandy.

All the computers in the school  must join the Active Directory server to access Internet.

I'm trying to connect a linux-mint 20 cinnamon in order it can access to Internet and if I succeed, I will be able to use old computers to create a new computer room  for our students because they are too old for last windows 10 and all the security software needed.

First I want to tell that in the wiki section there is a mistake with the following commands :

msktutil -N -c -b 'CN=COMPUTERS' -s UBUNTU-DESKTOP/ubuntu-desktop.nots.local -k my-keytab.keytab –computer-name UBUNTU-DESKTOP –upn UBUNTU-DESKTOP$ –server winserver19.nots.local –user-creds-only

Double dash are missing (editors  replace them by one long) and the correct command is :

msktutil -N -c -b 'CN=COMPUTERS' -s UBUNTU-DESKTOP/ubuntu-desktop.nots.local -k my-keytab.keytab - -computer-name UBUNTU-DESKTOP - -upn UBUNTU-DESKTOP$ - -server winserver19.nots.local - -user-creds-only

All the computers of the school are located in the directory "Machines" then sub directory "Ordinateurs" in the Active Directory server.

So my question is shall I use 'CN=MACHINES/ORDINATEURS' or 'CN=ORDINATEURS' or 'CN=MACHINES' or something else  for the msktutil commands above ?

Thanks for your help.

David.


 

Last edit: by Magellan

Online now: No Back to the top

Post

Posted
Rating:
#549
Avatar
NOTS Staff

Magellan said

Hello,

I'm technology teacher in a middle school in France / Normandy. 

David, you have personally emailed me this same message three times now from three different email addresses. Continuing to re-send the same email will not get you a response, so please stop. The forums (where you've posted here) are the correct place to post questions.

Magellan said

Double dash are missing (editors  replace them by one long)

This is a bug in Composr, the content management system used for this website. I have entered two Hyphen-Minus characters in the editor, but the page is only displaying a single em dash instead. I previously had a workaround for this issue, but since it's no longer working (I assume due to a recent update that included more rendering optimizations), I've opened an issue with the Composr project here: https://compo.sr/tracker/view.php?id=4385 Chris Graham (the lead Composr developer) is a great guy, and I'm sure this will be fixed when he has time. The alternative to waiting for a Composr update would be implementing my own HTML/CSS code boxes to use instead of using the built-in Comcode code boxes, which I can certainly do if this doesn't get fixed in a timely manner.

Magellan said

So my question is shall I use 'CN=MACHINES/ORDINATEURS' or 'CN=ORDINATEURS' or 'CN=MACHINES' or something else  for the msktutil commands above ?

Have you tried using any of those to see if they work? If not, why haven't you tried yet? Are you expecting someone else to spend hours replicating your setup in order to save you a few seconds trying those commands to see if they work or not?

Last edit: by jacobgkau

Online now: No Back to the top

Post

Posted
Rating:
#550
Avatar
Standard member
Hi Jacob, I'm very sorry for the persistence. Please forgive me. I have sent you the same message three times with a different email address because sometimes some people have told me that they did not receive my messages with one address and I had to use another one to get my message to them.

Seeing no response on the forum, I figured that no one could help me here. I have to admit that I am a bit impatient because I work in the emergency at the college.

I didn't try the 3 proposals I made because I'm afraid of doing something wrong and I can't afford it.  What would happen if the CN parameter waits for a directory or sub directory name and I enter a path? I wouldn't want it to create a new folder on the server named with the path that I would have entered.

I have no expertise on computer servers and the person who manages ours don't know anything about Linux. The company that set it up for us manages a special firewall for our students and the support it gives us does not cover the procedure we want to set up and they can't help for Linux too.

So, can we put a path in the CN parameter or must we enter the name of the folder (which in my case is a subdirectory) where we want to create the machine ?

I will wait until you are available to answer me and I won't bother you anymore.

Thanks again for your support and your skills because you are the only person who can help us.

Sincerely, David.

Last edit: by Magellan

Online now: No Back to the top

Post

Posted
Rating:
#551
Avatar
NOTS Staff

Magellan said

I didn't try the 3 proposals I made because I'm afraid of doing something wrong and I can't afford it.  What would happen if the CN parameter waits for a directory or sub directory name and I enter a path? I wouldn't want it to create a new folder on the server named with the path that I would have entered.

I'm afraid I can't answer your question off the top of my head, because I (being a Linux user) do not have a Windows server in my apartment right now, and I'm not going to set one up right now. However, I will say that if the server is set up such that you can mess it up by mis-configuring a client, that doesn't seem like a very well-designed server.

Thinking back to my days as a helpdesk technician at a college running Windows, I recall that we always let freshly-imaged machines join the default CN (which is Computers by default) and then dragged them to the appropriate location after they joined (but this was a fairly small college with a sub-optimal Windows Server setup.) I would think the worst-case scenario would be asking your server administrator to click and drag the computers to the appropriate location if the server did allow you to join them to the wrong place. Reading the man page for msktutil, I see the following:

For example, specifying '-b OU=Unix' for a computer named SERVER in an Active Directory domain example.com would create a computer account in the LDAP path: CN=SERVER,OU=Unix,DC=EXAMPLE,DC=COM.

So I would think you should start with "OU=Machines", possibly "CN=Ordinateurs,OU=Machines", but of course that's just a guess.

If you truly "can't afford" for this operation to go wrong, then I would suggest setting up a Windows Server virtual machine (like I did when I made that video over a year ago) and running through the process that way. You can get a free-of-cost evaluation license for Windows Server from Microsoft's website. You'll get experience with both Windows Server and Linux, and will be able to fine-tune your test to match exactly what you're trying to do in your lab. If you have questions while setting up VirtualBox, those are questions I'd be able to answer easier since that is software I use on a regular basis.

I also wanted to mention that I've installed a hotfix provided by the Composr developer (still a legend), and all of our wiki articles are now displaying their commands correctly, with two minus-hyphen signs instead of an em dash.

I apologize if my last message came off harsh, I do hope you can get your lab working and I'd enjoy hearing what you find if you do set up a virtual machine to test yourself.
Online now: No Back to the top

Post

Posted
Rating:
#552
Avatar
NOTS Staff
Well, Magellan , you should consider yourself lucky, because despite what I said in my last message, I was inspired by how helpful Chris was in solving the double-hyphen issue in Composr, and by the traffic I've seen on the forums recently, so I went ahead and dug out my Server 2019 VM to give this a try. I can confirm the correct syntax is `-b OU=InnerFolder,OU=OuterFolder`. So if I have the following structure:



Then the commands would be:

msktutil -N -c -b 'OU=Test,OU=Machines' -s VIRTUALBOX/virtualbox.nots.local -k my-keytab.keytab - -computer-name VIRTUALBOX - -upn VIRTUALBOX$ - -server winserver19.nots.local - -user-creds-only
msktutil -N -c -b 'OU=Test,OU=Machines' -s VIRTUALBOX/virtualbox -k my-keytab.keytab - -computer-name VIRTUALBOX - -upn VIRTUALBOX$ - -server winserver19.nots.local - -user-creds-only

After that, the machine was in the Machines/Test directory, as you can see above.

If you'd like to thank me for doing the work for you, please join the Nerd Club.


AngusBogus Yorgle I also repeated the process on an Ubuntu 20.04 machine, and did not have any unexpected output from msktutil. You should not need to "grant all users write access to /etc," that sounds like a bad idea in general and if there was a permissions issue (which I'm not seeing), you should try to fix it in a more precise way than that.
Online now: No Back to the top

Post

Posted
Rating:
#553
Avatar
Standard member
Many Thanks Jacob .

I will try this as soon as possible.

 
Online now: No Back to the top

Post

Posted
Rating:
#555
Avatar
Standard member
Hi Jacob !

You were right ! It's ok with msktutil new command but I still can't access to Internet and I think it's because all windows computer have a different DNS name compared to the Linux computer.

Here is the Linux machine properties :
Image1.png


And here what it should be like all other windows machine :
Image2.png

So perhaps there is a missing or wrong parameter in the msktutil command… Or something else that I don't know… I think this is the last step before the success for me but I need your help to achieve…

 

Last edit: by Magellan

Online now: No Back to the top

Post

Posted
Rating:
#562
Avatar
Standard member
Please, someone to help me ? I just need to change the DNS name with (I think) the right msktutil command. Has anybody a solution for me ?
Online now: No Back to the top

Post

Posted
Rating:
#584
Avatar
Standard member
I have a home office with linux and windows machines. I'd like to authenticate against my Synology Directory Server. I've got the Win10 machines connecting no problem. I followed your procedure with no errors on a Mint20 VM that I'm testing.  I can su to a domain user at the terminal but I don't get the option to login as domain user at the Cinnamon login prompt.

Any thoughts would be appreciated.

My aplogies for being so quick to post. Allow manual logins must be enabled on Cinnamon; under Settings/Login.

Also, geat video, it was a big help!

Last edit: by Gator

Online now: No Back to the top
1 guest and 0 members have just viewed this.