我有一些 Linux 服务器集成到 AD 中。其中一个服务器加入域时没有出现错误,但它无法对任何 AD 用户进行身份验证。
你能帮助我吗?日志和配置文件:
[root@oracleLinux72 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = MYDOMAIN.CORP
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@oracleLinux72 ~]# cat /etc/sssd/sssd.conf
[sssd]
domains = mydomain.corp
config_file_version = 2
services = nss, pam
[domain/mydomain.corp]
ad_domain = mydomain.corp
krb5_realm = MYDOMAIN.CORP
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = [email protected]
[root@oracleLinux72 ~]# systemctl status sssd -l
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2024-04-18 12:48:04 EDT; 48min ago
Main PID: 24148 (sssd)
Memory: 31.8M
CGroup: /system.slice/sssd.service
├─24148 /usr/sbin/sssd -i --logger=files
├─24149 /usr/libexec/sssd/sssd_be --domain mydomain.corp --uid 0 --gid 0 --logger=files
├─24151 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─24152 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Apr 18 13:35:07 oracleLinux72 sssd[ldap_child[31429]][31429]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
谢谢