使用 realm、sssd 和 adcli 加入带有 Active Directory 的 Ubuntu 14.04 LTS

使用 realm、sssd 和 adcli 加入带有 Active Directory 的 Ubuntu 14.04 LTS

我正在使用运行 AD DS 的 Windows 2012 计算机设置新网络。我有几个 Ubuntu 14.04 想要加入域进行身份验证。我已经设法在其中一台服务器上使用 realmd、sssd 和 adcli 完成了此操作,这非常简单。

但是,在至少另外 2 台服务器上,我无法让相同的设置工作。两者之间的最大区别在于它们位于不同的子网中。我检查了:- 路由 - DNS - 禁用防火墙和 DC 上的所有防火墙规则。

我可以成功发出 kinit,但 joing adcli 声称它无法联系 KDC。

希望你们能指出我的失败。

亲切的问候

root@lb02:~# IP 地址

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:ea:a5:b6 brd ff:ff:ff:ff:ff:ff
inet ***.***.***.**/** brd ***.***.***.*** scope global net
   valid_lft forever preferred_lft forever
inet6 ....
3: www: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:70:11:86 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global www
   valid_lft forever preferred_lft forever
inet6 ....

root@lb02:~# cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
default_realm = ACME.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = trye

[realms]
ACME.COM = {
        kdc = ad01.acme.com
        admin_server = ad01.acme.com
        default_domain = ACME.COM
}

[domain_realm]
.acme.com = ACME.COM
acme.com = ACME.COM

root@lb02:~# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/08/2015 16:19:55  07/09/2015 02:19:55  krbtgt/[email protected]
        renew until 07/09/2015 16:19:52

root@lb02:~# dig -t SRV _kerberos._tcp.acme.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._tcp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.acme.com.    IN      SRV

;; ANSWER SECTION:
_kerberos._tcp.acme.com. 600 IN      SRV     0 100 88 ad01.acme.com.

;; ADDITIONAL SECTION:
ad01.acme.com.       3600    IN      A       10.2.4.1

;; Query time: 2 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:24:43 CEST 2015
;; MSG SIZE  rcvd: 107

root@lb02:~# dig -t SRV _kerberos._udp.acme.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._udp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.acme.com.    IN      SRV

;; ANSWER SECTION:
_kerberos._udp.acme.com. 600 IN      SRV     0 100 88 ad01.acme.com.

;; ADDITIONAL SECTION:
ad01.acme.com.       3600    IN      A       10.2.4.1

;; Query time: 1 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:46:25 CEST 2015
;; MSG SIZE  rcvd: 107

root@lb02:~# ping -c4 ad01.acme.com

PING ad01.acme.com (10.2.4.1) 56(84) bytes of data.
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=1 ttl=127 time=0.651 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=2 ttl=127 time=0.620 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=3 ttl=127 time=0.721 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=4 ttl=127 time=0.750 ms

--- ad01.acme.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.620/0.685/0.750/0.058 ms

C:\用户\管理员>ping lb02

Pinging lb02.acme.com [10.2.1.2] with 32 bytes of data:
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63

Ping statistics for 10.2.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

kvanhagen@lb02:~$ telnet ad01.acme.com 88

Trying 10.2.4.1...
Connected to ad01.acme.com.

root@lb02:~# realm --membership-software=adcli discover acme.com

acme.com
  type: kerberos
  realm-name: ACME.COM
  domain-name: acme.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

root@lb02:~# realm --verbose 加入 acme.com

 * Resolving: _ldap._tcp.acme.com
 * Performing LDAP DSE lookup on: 10.2.4.1
 * Successfully discovered: acme.com
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain acme.com --domain-realm ACME.COM --domain-controller 10.2.4.1 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-MCBF1X
 * Using domain name: acme.com
 * Calculated computer account name from fqdn: LB02
 * Using domain realm: acme.com
 * Sending netlogon pings to domain controller: cldap://10.2.4.1
 * Received NetLogon info from: ad01.acme.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-v7Y0Pg/krb5.d/adcli-krb5-conf-eJg20h
 * Looked up short domain name: ACME
 * Using fully qualified name: lb02
 * Using domain name: acme.com
 * Using computer account name: LB02
 * Using domain realm: acme.com
 * Calculated computer account name from fqdn: LB02
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: lb02
 * Using domain name: acme.com
 * Using computer account name: LB02
 * Using domain realm: acme.com
 * Looked up short domain name: ACME
 * Found computer account for LB02$ at: CN=LB02,CN=Computers,DC=acme,DC=com
 ! Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
adcli: joining domain acme.com failed: Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
 ! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain

相关内容