[KB3726] Configure LDAP to allow for Static Group synchronization on ERA virtual appliance (6.x)

Issue

End of support for version 6.3, 6.2 and 6.1

These products no longer receive detection engine updates. No technical support or patches are available for this version. Basic support may continue, but is not guaranteed. Documentation is not created or updated.

  • Cannot configure the ESET Remote Administrator appliance to join a domain

Figure 1-1

Version 6.3 and earlier only! 

The steps below only apply to version 6.3 and earlier. For more information on how to configure ERA appliance 6.4 and later to join a domain, read the instructions in Online Help.

 

Solution

This issue is most likely the result of an incorrectly configured ovf.xml file.

To resolve this issue, open the appliance-configuration-log.txt file to examine the exact error message. To do so on your Virtual appliance, follow the steps below:

  1. Enter management mode by pressing the Enter key on your keyboard.
     
  2. You will be prompted for your password. Type the password you specified during deployment and press Enter.

Figure 1-2

  1. Choose Exit console using the arrow keys and press Enter.

Figure 1-3

  1. Type nano appliance-configuration-log.txt as root in the terminal and press Enter to open appliance-configuration-log.txt in Nano Editor. Look for error messages to find out what could be causing the issue.

Figure 1-4

If you are using ESET Remote Administrator 6.1.28 or later

See /root/help-with-domain.txt on your Virtual appliance for more information. The steps are similar to viewing the appliance configuration log file (as described above)—use nano help-with-domain.txt command.

Follow the steps below to troubleshoot the issue:

A. Verify that the parameters you put into the appliance during configuration of the ovf.xml file are correct. For example, if you are joining the domain 'yourdomain.com', configuration parameters for ERA Server Virtual appliance would be:

  • Hostname: "eraserver.yourdomain.com". It is important that hostname is FQDN.
  • Windows Domain: "yourdomain.com". It is important to have at least one '.' character as delimiter in the domain name. Automation script will take first token ('yourdomain' in this case) and fill it as workgroup into the /etc/samba/smb.conf as uppercase text.
  • Windows Domain Controller: 'Win2008DC.yourdomain.yourdomain.com". FQDN of a domain controller—not an ip address.
  • Windows Domain Administrator: "Administrator". With this login and password below one should be able to login in to the domain controller without problem and do administrator changes.
  • Windows Domain Administrator Password: "xxxxx". Password for Administrator account.
  • DNS: IP address of the domain controller. This should be set if default DNS server is not able to resolve hostnames for the specified domain above. This parameter will tie the appliance with DNS server in the domain controller.

If you are sure that all parameters are correct, check whether the configuration generated by the automation script is correct.

B. Check the following configuration files:

  • Hosts file: /etc/hosts should correctly map domain controller name and its IP address.
  • Kerberos configuration: /etc/krb5.conf should be correctly generated. Check that 'kinit ' works.
  • Crontab configuration: /etc/crontab should contain record for regular time updates against domain controller.
  • Samba configuration: /etc/samba/smb.conf should be correctly generated.

If all configuration files are correct, then proceed with manual domain join.

C.Join the domain manually:

  1. Call 'net ads join -U Administrator%' to join the domain. If successful, you should see created computer record in domain controller.
  2. Start 'service winbind start'.
  3. Start 'service nmb start'.
  4. Start 'service smb start'.
  5. Verify that you can ping Winbind using'wbinfo -p'.
  6. Verify that 'wbinfo -u' lists domain users and 'wbinfo -g' lists domain groups.


ERA Server uses the commands 'kinit' and 'ldapsearch' to browse through active directory and 'wbinfo' and 'ntlm_auth' to perform domain authentication. If these commands work, then you have successfully joined your domain.