我正在使用运行 AD DS 的 Windows 2012 计算机设置新网络。我有几个 Ubuntu 14.04 想要加入域进行身份验证。我已经设法在其中一台服务器上使用 realmd、sssd 和 adcli 完成了此操作,这非常简单。
但是,在至少另外 2 台服务器上,我无法让相同的设置工作。两者之间的最大区别在于它们位于不同的子网中。我检查了:- 路由 - DNS - 禁用防火墙和 DC 上的所有防火墙规则。
我可以成功发出 kinit,但 joing adcli 声称它无法联系 KDC。
希望你们能指出我的失败。
亲切的问候
root@lb02:~# IP 地址
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:ea:a5:b6 brd ff:ff:ff:ff:ff:ff
inet ***.***.***.**/** brd ***.***.***.*** scope global net
valid_lft forever preferred_lft forever
inet6 ....
3: www: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:70:11:86 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global www
valid_lft forever preferred_lft forever
inet6 ....
root@lb02:~# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = ACME.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = trye
[realms]
ACME.COM = {
kdc = ad01.acme.com
admin_server = ad01.acme.com
default_domain = ACME.COM
}
[domain_realm]
.acme.com = ACME.COM
acme.com = ACME.COM
root@lb02:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/08/2015 16:19:55 07/09/2015 02:19:55 krbtgt/[email protected]
renew until 07/09/2015 16:19:52
root@lb02:~# dig -t SRV _kerberos._tcp.acme.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._tcp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.acme.com. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.acme.com. 600 IN SRV 0 100 88 ad01.acme.com.
;; ADDITIONAL SECTION:
ad01.acme.com. 3600 IN A 10.2.4.1
;; Query time: 2 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:24:43 CEST 2015
;; MSG SIZE rcvd: 107
root@lb02:~# dig -t SRV _kerberos._udp.acme.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._udp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.acme.com. IN SRV
;; ANSWER SECTION:
_kerberos._udp.acme.com. 600 IN SRV 0 100 88 ad01.acme.com.
;; ADDITIONAL SECTION:
ad01.acme.com. 3600 IN A 10.2.4.1
;; Query time: 1 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:46:25 CEST 2015
;; MSG SIZE rcvd: 107
root@lb02:~# ping -c4 ad01.acme.com
PING ad01.acme.com (10.2.4.1) 56(84) bytes of data.
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=1 ttl=127 time=0.651 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=2 ttl=127 time=0.620 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=3 ttl=127 time=0.721 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=4 ttl=127 time=0.750 ms
--- ad01.acme.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.620/0.685/0.750/0.058 ms
C:\用户\管理员>ping lb02
Pinging lb02.acme.com [10.2.1.2] with 32 bytes of data:
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Ping statistics for 10.2.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
kvanhagen@lb02:~$ telnet ad01.acme.com 88
Trying 10.2.4.1...
Connected to ad01.acme.com.
root@lb02:~# realm --membership-software=adcli discover acme.com
acme.com
type: kerberos
realm-name: ACME.COM
domain-name: acme.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
root@lb02:~# realm --verbose 加入 acme.com
* Resolving: _ldap._tcp.acme.com
* Performing LDAP DSE lookup on: 10.2.4.1
* Successfully discovered: acme.com
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain acme.com --domain-realm ACME.COM --domain-controller 10.2.4.1 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-MCBF1X
* Using domain name: acme.com
* Calculated computer account name from fqdn: LB02
* Using domain realm: acme.com
* Sending netlogon pings to domain controller: cldap://10.2.4.1
* Received NetLogon info from: ad01.acme.com
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-v7Y0Pg/krb5.d/adcli-krb5-conf-eJg20h
* Looked up short domain name: ACME
* Using fully qualified name: lb02
* Using domain name: acme.com
* Using computer account name: LB02
* Using domain realm: acme.com
* Calculated computer account name from fqdn: LB02
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Using fully qualified name: lb02
* Using domain name: acme.com
* Using computer account name: LB02
* Using domain realm: acme.com
* Looked up short domain name: ACME
* Found computer account for LB02$ at: CN=LB02,CN=Computers,DC=acme,DC=com
! Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
adcli: joining domain acme.com failed: Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain