](https://linux22.com/image/1198588/%E5%B0%86%2022.04%20LTS%20%E8%BF%9E%E6%8E%A5%E5%88%B0%20Active%20Directory%EF%BC%9AGSSAPI%20%E9%94%99%E8%AF%AF%20%5B...%5D%EF%BC%88%E5%9C%A8%20Kerberos%20%E6%95%B0%E6%8D%AE%E5%BA%93%E4%B8%AD%E6%9C%AA%E6%89%BE%E5%88%B0%E6%9C%8D%E5%8A%A1%E5%99%A8%EF%BC%89.png)
我正在尝试将我部门的 Ubuntu 计算机连接到我们的活动目录,目前为止,这对其中一些计算机来说运行良好。但是,目前我只能使用最近更新到 22.04 LTS 的计算机(其他大多数计算机仍在使用 20.04 LTS)。显然,该计算机无法正确连接到 AD 域控制器。Systemctl 为我提供了 sssd 服务的以下错误消息:
sssd_be[3807]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
我以前在其他一些计算机上也遇到过此错误消息,通常与 DNS 问题有关。但是,在这种情况下,我找不到任何明显的 DNS 错误。我的域控制器也充当网络中的 DNS 服务器。resolvectl 将域控制器的 IP 输出为当前 DNS 服务器。此外,我可以使用其名称对域控制器进行 ping 操作,nslookup my.domain.controller 给出的输出对我来说似乎很合理。
我仔细检查了/var/log/sssd/sssd_my.domain.log,发现以下可疑行:
(2023-11-14 17:14:17): [be[my.domain]] [get_server_status] (0x1000): [RID#149] Status of server 'my.domain.controller' is 'name resolved'
(2023-11-14 17:14:17): [be[my.domain]] [get_port_status] (0x1000): [RID#149] Port status of port 0 for server 'my.domain.controller' is 'not working'
(2023-11-14 17:14:17): [be[my.domain]] [get_port_status] (0x0080): [RID#149] SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(2023-11-14 17:14:17): [be[my.domain]] [fo_resolve_service_send] (0x0020): [RID#149] No available servers for service 'AD'
[...]
(2023-11-14 17:14:17): [be[my.domain]] [ad_subdomains_refresh_connect_done] (0x0080): [RID#149] No AD server is available, cannot get the subdomain list while offline
(2023-11-14 17:14:17): [be[my.domain]] [be_ptask_done] (0x0040): [RID#149] Task [Subdomains Refresh]: failed with [1432158212]: SSSD is offline
但是,当我使用“realm join -U ad_admin my.domain.controller”加入域时,我没有收到任何错误消息,并且在域控制器端,我看到计算机显然确实加入了我的域。至于 /etc/sssd/sssd.conf 和 /etc/krb5.conf,我使用与其他一切正常的计算机相同的设置,即
cat /etc/sssd/sssd.conf
[sssd]
domains = my.domain
config_file_version = 2
services = nss, pam
[domain/my.domain]
default_shell = /bin/bash
ad_server = my.domain.controller
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MY.DOMAIN
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = my.domain
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
ad_gpo_access_control = permissive
cat /etc/krb5.conf
[libdefaults]
udp_preference_limit = 0
default_realm = MY.DOMAIN
rdns = false
您知道问题可能出在哪里吗?