Domain join from Opensuse

razaidlitz · August 3, 2019, 5:06am

Hello Guys
I’m having trouble with connecting my OpenSUSE leap 5 desktop to my UCS domain.
i will really appreciate your help if you guys can guide me on how to do that.

Thank you so much!

Raz

razaidlitz · October 26, 2019, 2:17pm

anyone? please help
can someone send the steps to join opensuse machine to ucs?

externa1 · October 26, 2019, 7:42pm

be sure to have the UCS DC as parimary DNS server configured on your opensuse machine

Open Yast
under network services select windows Domain membership
under domain/workgroup enter the domain name full qualified and select join
give domain administrator and password
thats it

after that you may login with user e.g. domain\username
rg

razaidlitz · October 27, 2019, 9:56am

Hello externa1
Thank you for your replay.

sorry i didn’t explain myself clearly.
Im looking for a way to connect Opensuse to UCS with LDAP (like they do with Univention domain join assistant to join ubuntu machine)

its very difficult to do that with Linux distributions unless you have Ubuntu.
I couldn’t find any documentation or guides to do that (in the UCS docs they dont really explain)

Please help

Thank you,

Raz

IT-Bizz · October 28, 2019, 11:00am

OpenSuse, I am not really familiar with, however, connecting Ubuntu and Zorin (also Ubuntu based) works like a charm, following instructions from here https://computingforgeeks.com/install-and-configure-samba-server-share-on-debian-ubuntu/
Important: you need to add the primary domain server to /etc/hosts

razaidlitz · October 30, 2019, 10:46am

Hey IT-Bizz

Thank you for your answer.

but in want to find a way to connect Opensuse to UCS with LDAP and not with Active Directory.

someone here knows how to?

externa1 · October 30, 2019, 11:22am

This shoud also be possible throu yast - network settings - ldap & kerberos auth

but did not try this as my ucs servers acts as windows AD (samba4) servers

rg
Christian

IT-Bizz · November 1, 2019, 6:12am

How and what you want to connect? Where exactly is the problem?

razaidlitz · November 4, 2019, 12:03pm

Hey guys
Im Trying to connect to ucs with ldap and not with active directory.

the main problems with connecting with ad:
1.users does not connect with the shell and the home directory i chose on ucs user options (account -> Posix(linux/unix)

2.after connecting to the domain with ad opensuse sees the group id’s as active directory domain id’s which is problem for me because we have lots of data in share folders with unix group id’s.

I’ve tried to connect with ldap many times but with no success…
i’d really appreciate it if you guys help me figure out how to do that…

thanks.

razaidlitz · November 8, 2019, 9:14am

Hey Guys,
any idea?

Thanks

Raz

lebernd · November 8, 2019, 3:30pm

Yes, only Ubuntu has a fully automated join script. So every other distro is more difficult.

As it wasn’t linked here: https://docs.software-univention.de/domain-4.4.html#ext-dom-unix
This would be the documentation.

Depending on how fit you are with bash-scripts and Opensuse package management, perhaps you can rewrite the scripts from https://docs.software-univention.de/domain-4.4.html#ext-dom-ubuntu or at least use parts for the Openldap configuration.
But true: a misreading of §2.4 and §2.5 has the potential of messing up your system - including: being locked out for good - if you don’t fully understand nss and pam (or at least handle every change with care and backup strategy).

That beeing said: after adjusting the system as described in the not so difficult parts §§2.1-2.3 - I would start with the LDAP configuration and there the crutial part will be:

Registering your Opensuse-Computer as a Linux Computer on the UCS master-server
Copy the CAcert from master-server to opensuse and
Modify your Openldap config and test it with different accounts.

All that being said - isn’t it perhaps more promising to follow the Opensuse-way and use AD https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha-samba.html#sec-samba-adnet ?

I’m not sure what you mean by that. How should they login and what home directory do you wish to use? Is the setting you made in UCS not working? If so - this would be a well defined problem for a single thread here in the forum.
EDIT: How is your computer registered in UCS, when you just join from OpenSuse? As windows- or linux-computer? Are some of the following problems due to a ‘misregistration’ of opensuse as windows-computer? Have you tried to register opensuse from UMC first as linux-computer?

Ok - so there is a NAS that is not joined to the domain? How is the current user mapping between NAS and UCS - manual, LDAP? Why not join it to UCS AD?
But also here - perhaps a question for a single help thread?

Hope this helps,
Bernd

razaidlitz · November 12, 2019, 8:58am

Hey Lebernd
first of all, Thank you for your answer and your time.

I did try to use ubuntu scripts to fully/half join Opensuse to UCS. it didn’t work out so well.
and yes I agree with you that doing something like that can crash services configuration and make trouble.

"That beeing said: after adjusting the system as described in the not so difficult parts §§2.1-2.3 - I would start with the LDAP configuration and there the crutial part will be:

Registering your Opensuse-Computer as a Linux Computer on the UCS master-server
Copy the CAcert from master-server to OpenSUSE and
Modify your Openldap config and test it with different accounts."
I also tried that, it’s just can’t connect to UCS Ldap (no connection problem, I saw with telnet that the port is listening)

“I’m not sure what you mean by that. How should they login and what home directory do you wish to use? Is the setting you made in UCS not working? If so - this would be a well defined problem for a single thread here in the forum.” when im connecting with AD the ucs ignores the UNIX attributes.
so im not sure that its a problem, UCS just think that my OpenSUSE uses windows attributes (home folder, group and user ids)

3.“Ok - so there is a NAS that is not joined to the domain? How is the current user mapping between NAS and UCS - manual, LDAP? Why not join it to UCS AD?
But also here - perhaps a question for a single help thread?”

I would connect the NAS server to the domain but it didn’t work.
its NetApp storage and it didn’t work to connect it with ad or with LDAP.
so I had to make share folder permissions manually (we need it to be UNIX permissions)

I hope it explains things.
again, thank you for your time

Raz

lebernd · November 12, 2019, 8:31pm

Hey @razaidlitz

Well, that is of course very vague…

I’ve just tried this with a mixture of yast and doc-scripts and it works pretty good (as long as you don’t use different password across the udm ldap and ldap conf .)

Can you please post the output of those commands:

cat /etc/hosts
cat /etc/openldap/ldap.conf
cat /etc/sssd/sssd.conf
cat /etc/krb5.conf
zypper se libheimdal
zypper se krb5-client

I could perhaps post the scripts I used in the next days.

Edit: Well an initial join worked - but now I have strange sssd kerberos behavior - I will have to look into this a little bit more…

Edit2: vm opensuse leap 15.1
Working: login with UCS-LDAP user. (Local home directory - gets created on login)

Best,
Bernd

eegclbugs · May 4, 2020, 2:02pm

Dear Bernd,

could you please post your scripts as this is what we want exactly to do, joining Opensuse Leap 15.1 clients via LDAP with our new UCS server. Thank you very much,

Greetings Nina

lebernd · May 4, 2020, 6:49pm

Dear Nina @eegclbugs ,

it is 6 months ago and I didn’t touch any of the files since then… but you can check them at: https://github.com/Lebernd/ucs-client-join-scripts

I don’t remember well but I guess I’ve used:
1ubu.sh 2ubu.sh 3suse-1.sh 3suse-2.sh 7suse.sh

you have to modify 1ubu.sh and 2ubu.sh for IP and hostname.

Take a look at the screenshot folder where I documented the yast part.

As I said - this is quite ugly - not well documented and I didn’t test it now. But I’ve managed the join like this 6 months ago.

Best,
Bernd