Steve Hoenisch
Mon, 26 Jan 2009 10:49:28 -0800
Hi Art: Here's a check list for troubleshooting:
Solve Logon Problems on Linux or Unix
To troubleshoot problems logging on a Linux computer with Active
Directory credentials after you joined the computer to a domain, perform
the following series of diagnostic tests sequentially with a root
account. The tests can also be used to troubleshoot logon problems on a
Unix or Mac OS X computer; however, the syntax of the commands on Unix
and Mac might be slightly different.
Make Sure You Are Joined to the Domain
Execute the following command:
/opt/likewise/bin/domainjoin-cli query
If you are not joined, see Join Active Directory with the Command Line.
Check Whether You Are Using a Valid Logon Form
When troubleshooting a logon problem, use your full domain credentials:
DOMAIN\username. Example: likewisedemo.com\hoenstiv.
When logging on from the command line, you must escape the slash
character with a slash character, making the logon form
DOMAIN\\username. Example: likewisedemo.com\\hoenstiv.
To view a list of logon options, see About Logging On.
Clear the Cache
You might need to clear the cache to ensure that the client computer
recognizes the user's ID. See Clear the Authentication Cache.
Destroy the Kerberos Cache
Clear the Likewise Kerberos cache to make sure there is not an issue
with a user's Kerberos tickets. Execute the following command at the
shell prompt with the user account that you are troubleshooting:
/opt/likewise/bin/kdestroy
Check the Status of the Likewise Authentication Daemon
Check the status of the authentication daemon on a Unix or Linux
computer running the Likewise Agent by executing the following command
at the shell prompt as the root user:
/sbin/service lsassd status
If
Do This
The result looks like this:
lsassd is stopped
Restart the daemon.
The result looks like this:
lsassd (pid 1783) is running...
Proceed to the next test.
Check Communication between the Likewise Daemon and AD
Verify that the Likewise daemon can exchange data with AD by executing
this command:
/opt/likewise/bin/lw-get-dc-name FullDomainName
Example: /opt/likewise/bin/lw-get-dc-name likewisedemo.com
If
Do This
The result does not show the name and IP address of your domain
controller
1. Make sure the domain controller is online and operational.
2. Check network connectivity between the client and the domain
controller.
3. Join the domain again.
4. View log files.
The result shows the correct domain controller name and IP address
Proceed to the next test.
Verify that Likewise Can Find a User in AD
Verify that the Likewise agent can find your user by executing the
following command, substituting the name of a valid AD domain for
domainName and a valid user for ADuserName:
/opt/likewise/bin/lw-find-user-by-name domainName\\ADuserName
Example: /opt/likewise/bin/lw-find-user-by-name likewisedemo\\hab
If
Do This
The command fails to find the user
1. Check whether the computer is joined to the domain by executing
the following command as root:
domainjoin-cli query
Displays the hostname, current domain, and distinguished name, which
includes the OU to which the computer belongs. Make sure the OU is
correct. If the computer is not joined to a domain, it displays only the
hostname.
2. Check Active Directory to make sure the user has an account. If
you are using Likewise Enterprise, also ensure that the user is
associated with the correct cell.
3. Check whether the same user is in the /etc/passwd file. If
necessary, migrate the user to Active Directory.
4. Make sure the AD authentication provider is running by proceeding
to the next test.
The user is found
Proceed to the PAM test later in this topic.
Make Sure the AD Authentication Provider Is Running
Likewise includes two authentication providers:
1. The local provider
2. The Active Directory provider
If the AD provider is not online, users are unable to log on with their
AD credentials. To check the status of the authentication providers,
execute the following command as root:
/opt/likewise/bin/lw-get-status
A healthy result should look like this:
LSA Server Status:
Agent version: 5.0.0
Uptime: 2 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
Status: Online
Mode: Local system
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: likewisedemo.com
Forest: likewisedemo.com
Site: Default-First-Site-Name
[r...@rhel4d bin]#
An unhealthy result will not include the AD authentication provider or
will indicate that it is offline. If the AD authentication provider is
not listed in the results, restart the authentication daemon.
If the result looks like the line below, check the status of the
Likewise daemons to make sure they are running.
Failed to query status from LSA service. The LSASS server is not
responding.
Switch User to Check PAM
Verify that a user's password can be validated through PAM by using the
switch user service. Either switch from a non-root user to a domain user
or from root to a domain user. If you switch from root to a domain user,
run the command below twice so that you are prompted for the domain
user's password:
su DOMAIN\\username
Example: su likewisedemo\\hoenstiv
If
Do This
The switch user command fails to validate the user
Generate a PAM debug log.
Also, check the following log files for error messages (the location of
the log files varies by operating system):
/var/log/messages
/var/log/secure
Test SSH
Check whether you can log on with SSH by executing the following
command:
ssh domain\\usern...@localhost
Example: ssh likewisedemo.com\\hoens...@localhost
Additional Diagnostic Tools
There are additional command-line utilities that you can use to
troubleshoot logon problems in the following directory:
/opt/likewise/bin
See Also
Resolve an AD Alias Conflict with a Local Account
________________________________
(c) 2008 Likewise Software. All rights reserved. For more information,
contact i...@likewisesoftware.com or visit www.LikewiseSoftware.com
<http://www.likewisesoftware.com/> .
Steve Hoenisch
Technical Editor and Writer
Likewise Software Inc.
T 425.378.7887 F 425.848.8200 E shoeni...@likewise.com
15395 SE 30th Place, Suite 140
Bellevue, WA 98007
www.likewise.com
-----Original Message-----
From: likewise-open-discuss-boun...@lists.likewisesoftware.com
[mailto:likewise-open-discuss-boun...@lists.likewisesoftware.com] On
Behalf Of Gerald (Jerry) Carter
Sent: Monday, January 26, 2009 10:27 AM
To: Art Alexion
Cc: likewise-open-discuss@lists.likewisesoftware.com
Subject: Re: [Likewise-open-discuss] Can't log in to AD using kdm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Art Alexion wrote:
> Ubuntu 8.10
>
> Installed from repository. Then tried unsuccessfully. Then
> installed the deb from the Likewise site. Tried again. No luck.
>
> Using syntax "domain\user" and even trying "domain\\user",
> can't log in.
>
> What am I doing wrong?
Hey Art. have you searched the forums for some of the troubleshooting
advice?
http://www.likewisesoftware.com/community/index.php/forums/
I don't want to leave you without an answer, but all of the user
support discussion has moved to the Forums. Much better search
capabilities for things like this.
cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewise.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJfgBjIR7qMdg1EfYRAi18AKCj5Akygt/qvm7blcLTs2JyQRiEcACfbESq
jz+7jAj3E1wetpm3m7Pfmk8=
=EW1I
-----END PGP SIGNATURE-----
_____________________________________________________________________
Likewise-open-discuss mailing list
Likewise-open-discuss@lists.likewisesoftware.com
Found a bug? Please file a report:
http://lobugs.likewisesoftware.com/
Looking for other discussion options? Try our forums:
http://www.likewisesoftware.com/community/index.php/forums/
_____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewisesoftware.com Found a bug? Please file a report: http://lobugs.likewisesoftware.com/ Looking for other discussion options? Try our forums: http://www.likewisesoftware.com/community/index.php/forums/