1

I have two servers which were up until recently authenticating against the companies Active Directory Domain controller. I believe a recent change to the Active Directory administrator password caused the servers to stop authenticating against AD. I tried to add the servers back to the domain using the command:

domainjoin-cli join example.com adusername

this seemed to work without complaints, but when I try to login via ssh with my domain account, I get an invalid password error. When I run the command:

lw-enum-users

it prints all of the domain users, and looking up my own account, I see that it is valid and my password hasn't expired. I also ran

lw-get-status and received the following:

LSA Server Status:

Agent version: 5.0.0 Uptime: 0 days 3 hours 35 minutes 46 seconds

[Authentication provider: lsa-activedirectory-provider]

    Status:        Online
    Mode:          Un-provisioned
    Domain:        example.com
    Forest:        example.com
    Site:          Default-First-Site-Name
    Online check interval:  300 seconds
    \[Trusted Domains: 1\]


    \[Domain: EXAMPLE\]

            DNS Domain:       example.com
            Netbios name:     EXAMPLE
            Forest name:      example.com
            Trustee DNS name:
            Client site name: Default-First-Site-Name
            Domain SID:       S-1-5-24-1081533780-4562211299-822531512
            Domain GUID:      057f0239-7715-4711-e64b-eb5eeed20e65
            Trust Flags:      \[0x001d\]
                              \[0x0001 - In forest\]
                              \[0x0004 - Tree root\]
                              \[0x0008 - Primary\]
                              \[0x0010 - Native\]
            Trust type:       Up Level
            Trust Attributes: \[0x0000\]
            Trust Direction:  Primary Domain
            Trust Mode:       In my forest Trust (MFT)
            Domain flags:     \[0x0001\]
                              \[0x0001 - Primary\]

            \[Domain Controller (DC) Information\]

                    DC Name:              dc1.example.com
                    DC Address:           10.11.0.103
                    DC Site:              Default-First-Site-Name
                    DC Flags:             \[0x000003fd\]
                    DC Is PDC:            yes
                    DC is time server:    yes
                    DC has writeable DS:  yes
                    DC is Global Catalog: yes
                    DC is running KDC:    yes

[Authentication provider: lsa-local-provider]

    Status:        Online
    Mode:          Local system

Anyone got any ideas what might be occurring?

Thanks in advance!

purpletonic
  • 197
  • 3
  • 12
  • Additional Info: It would appear that this only affects users who have previously logged onto the server. When another AD user logs onto the system for the first time, they are allowed access. – purpletonic Feb 23 '10 at 10:18

2 Answers2

0

I work for Likewise Software and was forwarded your request for help. The output you have given looks correct and it looks like a properly joined machine.

Please provide me with the following things so I can try to help you out.

  1. OS release (e.g. RHEL 5.3 or Ubuntu 8.10)
  2. Version of Likewise Open (run, without quotes, "cat /opt/likewise/data/VERSION" and post results)
  3. The contents of /etc/likewise/lsassd.conf (run, without quotes, "cat /etc/likewise/lsassd.conf" and post results)

Regards,

Yvo van Doorn

  • Thanks for your help Yvo. 1. The machine is running Ubuntu 9.10. 2. The folder /opt/likewise doesn't exist, which confused me when reading the documentation. Presumably this is because it's a Ubuntu installation? 3. The conf file was found in /etc/likewise-open5/lsassd.conf, I've removed the lines starting with # for brevity, and pasted the results below: – purpletonic Feb 24 '10 at 11:43
  • /etc/likewise-open5/lsassd.conf [global] domain-separator = \ [pam] log-level = error [auth provider:lsa-activedirectory-provider] path = /usr/lib/likewise-open5/liblsass_auth_provider_ad.so login-shell-template = /bin/bash homedir-template = %H/%D/%U ldap-sign-and-seal = false cache-entry-expiry = 4h machine-password-lifespan = 30d space-replacement = ^ cell-support = unprovisioned [auth provider:lsa-local-provider] path = /usr/lib/likewise-open5/liblsass_auth_provider_local.so password-lifespan = 30d password-change-warning-time = 14d – purpletonic Feb 24 '10 at 11:43
0

This was resolved when my current active directory password expired and I had to set a new one. Still unsure why this occurred though...

purpletonic
  • 197
  • 3
  • 12