2 Replies Latest reply on Mar 11, 2014 1:09 PM by russday

    SGD 4.7 - Cannot enable Active Directory authentication


      I've followed the steps in the Admin Guide, and have a service object created.  Running tarantella service list --name service_name produces the following output (obfuscated):


      Name:  service_name

      Enabled: 1

      Url: ad://url_to_dc

      Base-domain: same as above

      Security-mode: kerberos

      Type: ad


      ...all of which looks correct.  I've added the recommended log filters.  Directory services (server/directoryservices/*) returns the following INFO message when attempting a logn:


      No Login authorities are available.

      The configured service objects will not be used.


      When I click the "Test" button in the service object property screen, the above log fills with what look like appropriate log messages and a Success result from the AD server, then the above message is displayed.  Running the tarantella config list | grep login command produced the following output:


      login-ad-base-domain:  same domain as above

      login-ad-default-domain: ""

      login-ldap-thirdparty-ens: 1

      login-lday-thirdparty-profile: 1

      login-thirdparty-ens: 0

      login-thirdparty-nonens: 0

      login-thirdparty-superusers:  sgd_trusted_user

      login-web-tokenvalidity: 180

      server-login: enabled


      Any ideas?

        • 1. Re: SGD 4.7 - Cannot enable Active Directory authentication

          Problems can be

          • Incorrect domain
          • Name resolutions fails: OSGD server must be able to resolve the global catalog server
          • Timeserver: OSGD server must have the same time as the AD
          • Wrong /etc/krb5.conf

          Global Catalog Server

          Check, if the domain has a global catalog server:


          nslookup -query=any _gc._tcp.DOMAIN_lowercase



          Example for Domain TBSOL.DE



          [root@tab-ol5u7-SGD1dev-adm tmp]# nslookup -query=any _gc._tcp.tbsol.de




          Non-authoritative answer:

          _gc._tcp.tbsol.de       service = 0 100 3268 office-ad.tbsol.de.

          Authoritative answers can be found from:

          tbsol.de        nameserver = office-ad.tbsol.de.

          office-ad.tbsol.de      internet address =

          Kerberos Layer

          Simple Kerberos file




            default_realm = TBSOL.DE

            default_tkt_enctypes = rc4-hmac

            default_tgs_enctypes = rc4-hmac


             TBSOL.DE = {

               kdc = office-ad.tbsol.de

               admin_server = office-ad.tbsol.de




             .tbsol.de = TBSOL.DE

             tbsol.de = TBSOL.DE


          The format (tabs and spaces) of the Kerberos file is not relevant.

          (other experience: after correcting the format of the kerberos file, pwd change works !)

          Use kinit to test the Kerberos file.

          Tarantella needs a restart, if this file is changed.



          The OSGD documentation mentions in " Active Directory Password Expiry" to set

          kpasswd_protocol = SET_CHANGE

          This was not needed in these tests.


          Login check via kinit


          kinit <userprincibalename>@DOMAIN_uppercase



          Example of kinit



          [root@tab-ol5u7-SGD1dev-adm tmp]# kinit tbasien@TBSOL.DE; echo $?


          Password for tbasien@TBSOL.DE:

          kinit(v5): Preauthentication failed while getting initial credentials


          [root@tab-ol5u7-SGD1dev-adm tmp]# kinit tbasien@TBSOL.DE; echo $?

          Password for tbasien@TBSOL.DE:


          [root@tab-ol5u7-SGD1dev-adm tmp]#

          Check password change with KPASSWD


          [root@tab-ol5u7-SGD1dev-adm log]# kpasswd jperez@TBSOL.DE


          Password for jperez@TBSOL.DE:

          Enter new password:

          Enter it again:

          Password changed.

          Check password change on AD request

          Mark user, that he has to change his password on the next login in the AD.


          [root@tab-ol5u7-SGD2dev-adm tmp]# kinit jperez@TBSOL.DE


          Password for jperez@TBSOL.DE:

          Password expired.  You must change it now.

          Enter new password:

          Enter it again:

          [root@tab-ol5u7-SGD2dev-adm tmp]# kinit jperez@TBSOL.DE


          • 2. Re: SGD 4.7 - Cannot enable Active Directory authentication

            Thanks tbasien,


            The nslookup was successful, as well as kinit, and kpasswd.  I should note that the host authenticates to the AD domain (through pam), so the kerberos infrastructure was already setup.


            One thing I did not have was a link to krb5.conf in /opt/tarantella/bin/jre/lib/security.  I have added that, and restarted sgd.  Now, when I try to authenticate, I get the following log output:


                 Attempted login for rday@domain

                 using disambiguation attributes {}.


            And then nothing else.  My guess is that there is a kerberos issue, but I can't figure out a way to get that logged...


            Thanks again for the assistance!