无法加入我刚刚用 samba ad dc 创建的 dc

tag-icon tag-icon domain-controller samba4 fedora-server
无法加入我刚刚用 samba ad dc 创建的 dc

我遵循了以下说明:https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

这些说明并不完全按照说明操作。有一步我没有得到结果,因为 samba 已停止,需要运行(用于 dns)才能获得指南中的结果,但除此之外,一切都按照本指南所述进行,但是当我尝试从我创建的 vm 加入域时。我目前只有一个 dc。我创建了一个 Fedora Server 35 vm,在让它单独工作后将其添加为另一个 dc,因为这就是我真正想要使用它的方式。

$ realm join test-server.lan -U Administrator

Password for Administrator:
See: journalctl REALMD_OPERATION=r1171585.2732805
realm: Couldn't join realm: Failed to join the domain**

$ journalctl REALMD_OPERATION=r1171585.2732805

-- Journal begins at Fri 2021-10-01 15:39:25 EDT, ends at Mon 2021-10-04 22:26:45 EDT. --
Oct 04 22:24:21 fedora realmd[2732808]:  * Resolving: _ldap._tcp.test-server.lan
Oct 04 22:24:21 fedora realmd[2732808]:  * Performing LDAP DSE lookup on: 10.0.0.10
Oct 04 22:24:21 fedora realmd[2732808]:  * Successfully discovered: test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Oct 04 22:24:30 fedora realmd[2732808]:  * LANG=C /usr/sbin/adcli join --verbose --domain test-server.lan --domain-realm TEST-SERVER.LAN --domain-controller 10.0.0.10 --login-type user --login-user Administrator --stdin-password
Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain name: test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Calculated computer account name from fqdn: FEDORA
Oct 04 22:24:30 fedora realmd[2732808]:  * Using domain realm: test-server.lan
Oct 04 22:24:30 fedora realmd[2732808]:  * Sending NetLogon ping to domain controller: 10.0.0.10
Oct 04 22:24:46 fedora realmd[2732808]:  * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-OMYnX1/krb5.d/adcli-krb5-conf-lTV3xU
Oct 04 22:24:46 fedora realmd[2732808]:  ! Couldn't authenticate as: [email protected]: Client '[email protected]' not found in Kerberos database
Oct 04 22:24:46 fedora realmd[2732808]: adcli: couldn't connect to test-server.lan domain: Couldn't authenticate as: [email protected]: Client '[email protected]' not found in Kerberos database
Oct 04 22:24:46 fedora realmd[2732808]:  ! Failed to join the domain

/etc/samba/smb.conf:

# Global parameters
[global]
dns forwarder = 10.0.0.1
netbios name = FS34
realm = TEST-SERVER.LAN
server role = active directory domain controller
workgroup = TEST-SERVER
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/test-server.lan/scripts
read only = No

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

[Photos]
comment = Photos
path = /multimedia/Photos

browseable = Yes
read only = No
inherit acls = Yes

[Videos]
comment = Videos
path = /multimedia/Videos

browseable = Yes
read only = No
inherit acls = Yes

[Movies]
comment = Videos
path = /multimedia/Movies

browseable = Yes
read only = No
inherit acls = Yes

[Music]
comment = Videos
path = /multimedia/Music

browseable = Yes
read only = No
inherit acls = Yes

[seagate]
comment = Videos
path = /media/seagate

browseable = Yes
read only = No
inherit acls = Yes

/etc/krb5.conf:

[libdefaults]
default_realm = TEST-SERVER.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h

[realms]
TEST-SERVER.LAN = {
default_domain = test-server.lan
kdc = test-server.lan
}

[domain_realm]
fs34 = TEST-SERVER.LAN
dc01 = TEST-SERVER.LAN
.test-server = TEST-SERVER.LAN
.test-server.lan = TEST-SERVER.LAN
dc01.test-server.lan = TEST-SERVER.LAN

我能够访问共享并且已经安装它们(作为我添加的用户)。

//test-server.lan/Photos  2.7T  1.8T  926G  66% /home/user/mnt/Photos
//test-server.lan/Videos  2.8T  1.9T  926G  68% /home/user/mnt/Videos
//test-server.lan/Movies  2.8T  1.9T  926G  68% /home/user/mnt/Movies

# smbclient -L test-server.lan -U user

Enter TEST-SERVER\user's password:

Sharename       Type      Comment
---------       ----      -------
sysvol          Disk      
netlogon        Disk      
Photos          Disk      Photos
Videos          Disk      Videos
Movies          Disk      Videos
Music           Disk      Videos
seagate         Disk      Videos
IPC$            IPC       IPC Service (Samba 4.14.7)
SMB1 disabled -- no workgroup available

相关内容