Ubuntu 20 on Active Directory — wrong user and group IDs assigned

I’m trying to join my Ubuntu 20 virtual machine to our Active Directory setup. Everything seems to be working, except the user IDs shown for users do not match what is in Active Directory. This means that (among other problems) users cannot access their home directories which are served/mounted from another server.

The user ID for rgoodman should be as shown here (from the non-working machine):

$ ls -ld /home/rgoodman
drwxr-xr-x 70 1101210 1100513 12288 Feb 23  2019 /home/rgoodman

On a working server (which is actually running CentOS), I see this:

$ id rgoodman
uid=1101210(rgoodman) gid=1100513(domain users) groups=1100513(domain users),1101210(rgoodman),1110778(customer-support-sg),1110770(cacti-sg),1110867(software-development-sg),1110838(phoenix-dev-sg),1000001(BUILTINusers)

On my server which isn’t working, I see this:

$ id rgoodman
uid=945201210(rgoodman) gid=945200513(domain users) groups=945200513(domain users),945210867(software-development-sg),945210838(phoenix-dev-sg),945210778(customer-support-sg),945210770(cacti-sg)

It’s interesting that the end of each number is the same, but the prefix is different. How do I change the prefix on this machine to match what is in AD? Is the BUILTINusers at the end of the working machine’s list a clue?

Go to Source
Author: RGoodman

list the users name in specific OU+ the Groups

I need to write a Powershell Skript to list the users name in specific OU+ the Groups in which the user belongs to (but i need to list specific Group and not to see all Groups).

Ex : OU : A

Users under OU A

they are Member to the Groups X Y Z …

i have found this one :

Get-ADUser -Filter * -Properties samaccountname,memberof,description -SearchBase “OU” |

foreach {

$sam = $.samaccountname
$description = $
.description

foreach ($group in $_.memberof) {

New-Object PSObject -Property @{

  UserName = $_.samaccountname;
  Desc = $_.description
  
 Group = ($group -split ",")[0].Substring(3) 

}

}

} |select username,Desc,Group

But it will list all Groups to the user and i want to show all users and thier Groups (but not all Groups just y x)

I want to list all user name in OU A and the Groups (but i want to see just Group y x)
Can Some one help me please ?

Thanks

Go to Source
Author: Adam2020

How to have only one login for multiple websites on the same linux machine?

I’m having multiple websites (like mediawiki, gitea and kanboard) and im thinking about making the login the same on all services.

But how do I do that?

I looked at AD but I read that it’s Windows only?
I also heard about “FreeIPA” but I read that it’s used for linux client machines?
Google is sadly not really helping me with that, as the question is too broad to get good results.

All I want is to make the logins on all my websites the same, so that if I create a user (or change password) once it gets updated on every website/service.
I don’t necessarily need the client OS (example: windows login) to be involved, but if that is necessary then I will do that.

Any help or directions would be greatly appreciated.

BR
Chris

Go to Source
Author: Chris

LDAP + SAMBA problems

After setting up my openldap on centos 7 i got a problem while integrating samba !
i followed the steps of many tuto :
exemple : https://admin.shamot.cz/?p=470
but i found a problem while taping that command :
net getlocalsid
i got an error :
ailed to bind to server ldap://172.16.0.180 with dn=”cn=ldapadm” Error: Invalid credentials
(unknown)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
pdb backend ldapsam:ldap://172.16.0.180 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
WARNING: Could not open passdb

Go to Source
Author: Bruce

AD users unable to access Samba Share

I have a RHEL 7.6 server joined to AD using sssd and realm. I am able to ssh into the Linux servers as AD users, but the same users are unable to access the Samba share configured in the server. When I try to access the share from Windows Server 2012 R2 Standard, it keeps prompting me for the password.

This is how I configured smb.conf

client signing =yes
client use spnego =yes
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
###ntlm auth =yes

template homedir = /home/%U

idmap config * : backend = tdb
idmap config * :  range = 10000-199999
idmap config DOMAIN: backend = sss
idmap config DOMAIN : range = 200000-2147483647

Please check and let me know how I can let AD users to access the shared directories.

Go to Source
Author: rohit pillai

Slow Application with User Accounts from other Domain – Active Directory Domain Trust Issue?

I have a strange issue and hope someone can help me finding the cause.

Environment:

  • 2 companys (let’s say Company A and Company B) with seperate IT-infrastructures.
  • Each one has its own network, own active directory, etc.
  • Company A is hosting a RDS terminalserver environment with a specific business application.
  • Company B needs to get access to this application on the terminalservers.
  • Between Company A and Company B there is a site-to-site VPN.
  • We created a active directory domain trust between them.
  • The VPN traffic is filtered with a firewall …
  • … We only allow the domain controllers from Company A and from Company B to talk to each other in both directions with this ports:
    tcp-udp/389, tcp-udp/464, tcp-udp/88, tcp-udp/53, tcp/135, tcp/3268, tcp/3269, tcp/445, tcp/49152-65535, tcp/636, tcp/139, udp/123.
  • … The client-network from Company B is allowed to access the terminalervers from Company A with tcp/3389.
  • … Any other communication is blocked by firewalls at both companys.

Issue:

Company B clients can login onto the terminalservers from Company A with their own domain user accounts from Company B. They can open and use the business application, too. So far so good.

The issue is, that the application is really slow and freezing permanently.

When I login from Company B client onto the terminalservers with a domain user account from Company A, then it seems like there are no problems. The application is not freezing. I tried to figure out, what the cause of this problem is, but I don’t get it. It seems like the problem only occur with users from the Company B active directory domain. Maybe some problem with the trust?

I tried to figure out, what the application is doing exactly when it freezes or responses slow. I looked into TcpView from Sysinternals and I can see, that “lsass.exe” processes are getting added into the list one after the other in the moment, when the application freezes. Maybe this could be a hint? But I don’t know, how I could further troubleshoot this problem.

Any ideas?

Go to Source
Author: Niko21

Login names between sub domains in Active Directory

If I create two subdomains (sub1.domain.com and sub2.domain.com) to my parent domain (domain.com) can different users have the same login in the different subdomains? Or does logins need to be different across the forest.

  • jsmith@domain.com
  • jsmith@sub1.domain.com
  • jsmith@sub2.domain.com

Is this perfectly fine or will sub 1 and 2 conflict with the parent domain. Or will all 3 conflict with eachother?

Go to Source
Author: GSerrano

ASP.NET Identity using only Active Directory

We have an existing ASP.NET web app that is using Microsoft.AspNet.Identity framework. The previous developer wrote the code for this and unfortunately I don’t have much experience with it. It currently allows users to create an account on our app and that gets saved to the AspNetUsers table. I’m assuming that’s the default way accounts are stored with this framework.

This has been working well so far, but we want to expand our functionality in a way that we think would be better if accounts were stored in Active Directory. Ideally users would have a single login that would allow the following:

  • Login to our web app.
  • Ability to change password via the web app.
  • Log into SQL Server Reporting Services portal.
  • Log into SSRS server when building reports in Report Builder.
  • Provide database access as follows:
    • Only be able to see and SELECT from a handful of views.
    • These views would be able to filter data based on the user.
    • There would be groups that the user belongs to. Each group has ownership of a schema in the database. Members of the group would have full access to that schema.

With the current AspNetUsers table implementation, users can create accounts, login and reset password. For the SSRS functionality we’ve been creating a separate user in AD manually. So at this point, the user has two accounts to deal with, though they could use the same username/password so that it seems like one.

On the database access it is a little complicated, but seems to work:

  1. First, our users belong to one or more “Organizations”. And really that’s pretty much like a group, but it doesn’t use any kind of built in group functionality. We basically have an Organizations table in the database and then an OrganizationUser table that links AspNetUsers to Organizations.

  2. Each Organization has a Data Source in SSRS. Depending on what Organization the user is writing reports for, they will choose the appropriate Data Source. Organizations have corresponding local DB logins and that is the login used by the SSRS Data Source.

  3. On the database itself, the Organization login has ownership of it’s own schema. The schema is there so that users can store and retrieve tables of their own design. This is mainly for pre-computing of data for use in reports. The login also has access to a few views in the dbo schema. Those views utilize the DB login to determine what Organization it’s dealing with. That’s used to filter out any data that is “owned” by an AspNetUser entry that isn’t linked to the Organization.

As you can see, we also end up with a third Organization login on the database which is not really ideal either. Plus, we’re also seeing a need to have a user-level login because we also want to add a database view that only shows the users data rather than the data for the entire Organization.

I should also mention that I’d really like if, when a user creates an account, it gets created in AD rather than the database. I haven’t been able to find an example of being able to do this. There seems to be a lot of examples on how to login to AD, but not to create the account in the first place. I suppose I could keep the existing AspNetUsers implementation and write some AD code alongside all the existing endpoint code, however that seems like a waste if there was some way to just do it all in AD.

I was going to post in StackOverflow to see if anyone could help me on getting Microsoft.AspNet.Indentity to create users in AD, but I decided it might be a good idea to get some feedback on this design before I go down that route as I’m wondering whether it’s a good idea or not.

I know one of the concerns my co-worker brought up was getting too many accounts in AD. I don’t think it’s a big issue. This isn’t the type of application that would have a lot of users. His other concern was getting tied too close to a Microsoft stack, but I don’t think that’s a big problem either.

Go to Source
Author: Dan