Samba4 网络加入成员失败

Samba4 网络加入成员失败

我正在尝试使用 samba4 将 RHEL6 服务器加入域。Net ads join 可以正常工作,但 join member 却不行。实际上 wbinfo --getdcname 不起作用,而 wbinfo --dsgetdcname 可以。

如果能够阐明这些命令之间的区别,那将会非常有帮助。

在 Samba3 上加入成功,并且按预期工作,除了嵌套组

[root@sent-test-smg2 - (11:51:01) samba]#  net join member -U smg
Enter smg's password:
Failed to join domain: failed to find DC for domain member
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain SENT
Unable to find a suitable server for domain SENT

[root@sent-test-smg2 - (11:52:29) samba]#  net ads info
LDAP server: 10.74.160.8
LDAP server name: SENTVMDC2.Sent.local
Realm: SENT.LOCAL
Bind Path: dc=SENT,dc=LOCAL
LDAP port: 389
Server time: Fri, 04 Jul 2014 11:57:49 IST
KDC server: 10.74.160.8
Server time offset: 0

[root@sent-test-smg2 - (11:57:49) samba]#  wbinfo --online-status
BUILTIN : online
SENT-TEST-SMG2 : online
SENT : offline

[root@sent-test-smg2 - (11:59:28) samba]#  wbinfo --getdcname=SENT.LOCAL
Could not get dc name for SENT.LOCAL

[root@sent-test-smg2 - (11:59:42) samba]#  wbinfo -P
checking the NETLOGON dc connection to "" failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

[root@sent-test-smg2 - (12:02:02) samba]#  wbinfo --dsgetdcname=sent.local
SENTVMDC2.Sent.local
\\10.74.160.8
1
f170eb24-d9f3-44cb-b622-02765ed83ed7
Sent.local
Sent.local
0xe00031fc
Ballycoolin
Ballycoolin

[root@sent-test-smg2 - (12:02:22) samba]#  wbinfo --getdcname=sent.local
Could not get dc name for sent.local

smb.conf:

[global]
   workgroup = SENT
   password server = *
   realm = SENT.LOCAL
   security = ads
   idmap config * : range = 10000-50000000
   winbind separator = +
   template homedir = /home/domain/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false
   preferred master = no
   allow trusted domains = no
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   winbind expand groups = 10000
   server string = Linux Server
   interfaces = eth0
   bind interfaces only = yes
   strict locking = no
   wins server = 192.168.0.6
   idmap cache time = 1
   idmap negative cache time = 1
   winbind cache time = 1   
   idmap config * : range = 10000-50000000
   idmap config * : backend = rid
   idmap config SENT : range = 10000-50000000
   idmap config SENT : default = yes 
   idmap config SENT : backend = rid

配置文件

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = SENT.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SENT.LOCAL = {
  kdc = 192.168.0.6:88
  admin_server = 192.168.0.6:749
  kdc = *
 }

[domain_realm]
 SENT.LOCAL = SENT.LOCAL
 .SENT.LOCAL = SENT.LOCAL

 sent.local = SENT.LOCAL
 .sent.local = SENT.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

从 10 点调试的 winbind 日志文件中:

[2014/07/04 12:23:38.900108,  1, pid=12682, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
       wbint_PingDc: struct wbint_PingDc
          out: struct wbint_PingDc
              dcname                   : *
                  dcname                   : NULL
              result                   : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/07/04 12:23:38.900835, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:712(wb_request_done)
  wb_request_done[12705:PING_DC]: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/07/04 12:23:38.901001, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written)
  winbind_client_response_written[12705:PING_DC]: delivered response to client
checking the NETLOGON dc connection to "" failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

但后来似乎很清楚地知道了 DC 在哪里:

[2014/07/04 12:23:39.044514,  9, pid=12707, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache)
  check_negative_conn_cache returning result 0 for domain SENT.LOCAL server 10.74.160.8
[2014/07/04 12:23:39.044732,  5, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:270(ads_try_connect)
  ads_try_connect: sending CLDAP request to 10.74.160.8 (realm: SENT.LOCAL)
[2014/07/04 12:23:39.046454,  1, pid=12707, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:245(ndr_print_debug)
       &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
          command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
          sbz                      : 0x0000 (0)
          server_type              : 0x000031fc (12796)
                 0: NBT_SERVER_PDC           
                 1: NBT_SERVER_GC            
                 1: NBT_SERVER_LDAP          
                 1: NBT_SERVER_DS            
                 1: NBT_SERVER_KDC           
                 1: NBT_SERVER_TIMESERV      
                 1: NBT_SERVER_CLOSEST       
                 1: NBT_SERVER_WRITABLE      
                 0: NBT_SERVER_GOOD_TIMESERV 
                 0: NBT_SERVER_NDNC          
                 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
                 1: NBT_SERVER_FULL_SECRET_DOMAIN_6
                 1: NBT_SERVER_ADS_WEB_SERVICE
                 0: NBT_SERVER_HAS_DNS_NAME  
                 0: NBT_SERVER_IS_DEFAULT_NC 
                 0: NBT_SERVER_FOREST_ROOT   
          domain_uuid              : f170eb24-d9f3-44cb-b622-02765ed83ed7
          forest                   : 'Sent.local'
          dns_domain               : 'Sent.local'
          pdc_dns_name             : 'SENTVMDC2.Sent.local'
          domain_name              : 'SENT'
          pdc_name                 : 'SENTVMDC2'
          user_name                : ''
          server_site              : 'Ballycoolin'
          client_site              : 'Ballycoolin'
          sockaddr_size            : 0x00 (0)
          sockaddr: struct nbt_sockaddr
              sockaddr_family          : 0x00000000 (0)
              pdc_ip                   : (null)
              remaining                : DATA_BLOB length=0
          next_closest_site        : NULL
          nt_version               : 0x00000005 (5)
                 1: NETLOGON_NT_VERSION_1    
                 0: NETLOGON_NT_VERSION_5    
                 1: NETLOGON_NT_VERSION_5EX  
                 0: NETLOGON_NT_VERSION_5EX_WITH_IP
                 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
                 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
                 0: NETLOGON_NT_VERSION_PDC  
                 0: NETLOGON_NT_VERSION_IP   
                 0: NETLOGON_NT_VERSION_LOCAL
                 0: NETLOGON_NT_VERSION_GC   
          lmnt_token               : 0xffff (65535)
          lm20_token               : 0xffff (65535)
[2014/07/04 12:23:39.049085, 10, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/sitename_cache.c:70(sitename_store)
  sitename_store: realm = [SENT], sitename = [Ballycoolin], expire = [2085923199]

答案1

不管怎么说,我刚刚遇到了同样的问题,解决方案是 RHEL6 服务器使用的 DNS 服务器包含过时的信息。区域中的信息与_msdcs.DOMAIN当前设置不匹配,导致加入失败。刷新所有 DNS 服务器和本地 DNS 缓存后,加入工作正常。它可能也会在 24 小时后自行解决,这是缓存时间。

相关内容