当我尝试将 Linux 机器加入 AD 时出现以下错误:
$ realm join proxmox.local --computer-ou =“CN = TEST,CN = Computers,DC = proxmox”--verbose
* Resolving: _ldap._tcp.proxmox.local
* Resolving: proxmox.local
* Performing LDAP DSE lookup on: 192.168.1.131
* Successfully discovered: proxmox.local
Password for Administrator:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
* LANG=C /usr/sbin/adcli join --verbose --domain proxmox.local --domain-realm PROXMOX.LOCAL --domain-controller 192.168.1.131 --computer-ou CN=TEST,CN=Computers,DC=proxmox --login-type user --login-user Administrator --stdin-password
* Using domain name: proxmox.local
* Calculated computer account name from fqdn: TEST
* Using domain realm: proxmox.local
* Sending netlogon pings to domain controller: cldap://192.168.1.131
* Received NetLogon info from: windows.proxmox.local
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-BihhIw/krb5.d/adcli-krb5-conf-PZ0Ypc
* Authenticated as user: [email protected]
! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to proxmox.local domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
我的 krb5.conf:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = PROXMOX.LOCAL
forwardable = true
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
[realms]
PROXMOX.LOCAL = {
kdc = proxmox.local
admin_server = proxmox.local
}
[domain_realm]
.proxmox.local = PROXMOX.LOCAL
proxmox.local = PROXMOX.LOCAL
错误消息毫无意义,因为我使用的是管理员帐户,并且该帐户具有完全权限。有什么方法可以调试此问题吗?
答案1
我在使用 Ubuntu 20.04 设置的家庭域上遇到了这个问题(包括带有 samba 上的域控制器的服务器和所有域成员)。解决方案原来非常简单。在成功加入之前,您需要修改文件/etc/hosts以将 IP 地址映射到域控制器主机。您可以在成功加入域后删除这些条目,因为这样您的新域成员将使用域中的 DNS,但在那之前,我认为它有点丢失了。对我来说,这些条目看起来类似于此:
192.168.1.10 primarydc.mydomain.com primarydc
192.168.1.10 primarykrb.mydomain.com primarykrb