加入 Active Directory 域时出现问题

加入 Active Directory 域时出现问题

我正在尝试将 Ubuntu 14.04 服务器加入 Windows 2003 R2 域。我的管理员说,从控制器端来看,它是域的一部分。但是SSSD似乎无法启动并且DNS更新失败。

我一直在遵循各种指南来尝试使其正常工作,但未能成功完成其中任何一个且没有错误。

Ubuntu 服务器指南
千根
网络迷
Fedora SSSD 指南

Discovery 似乎运行得很好:

kyle@Server21:~$ realm discover COMPANYNAME.LOCAL
CompanyName.Local
  type: kerberos
  realm-name: COMPANYNAME.LOCAL
  domain-name: companyname.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins
companyname.local
  type: kerberos
  realm-name: COMPANYNAME.LOCAL
  domain-name: companyname.local
  configured: no

realmd说我也加入了域:

kyle@Server21:~$ realm join COMPANYNAME.LOCAL
realm: Already joined to this domain

Kerberos 获取了我的管理员身份验证:

kyle@Server21:~$ kinit -V administrator
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5

但当需要加入时,DNS 更新失败:

kyle@Server21:~$ sudo net ads join -k
Using short domain name -- COMPANYNAME
Joined 'SERVER21' to dns domain 'CompanyName.Local'
No DNS domain configured for server21. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

SSSD 启动时仍然存在问题:

kyle@Server21:~$ systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2016-06-22 09:57:57 EDT; 37min ago
  Process: 16027 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=1/FAILURE)

Jun 22 09:57:55 Server21 sssd[16038]: Starting up
Jun 22 09:57:55 Server21 sssd[16041]: Starting up
Jun 22 09:57:55 Server21 sssd[16042]: Starting up
Jun 22 09:57:56 Server21 sssd[be[16043]: Starting up
Jun 22 09:57:57 Server21 sssd[be[16043]: Failed to read keytab [default]: No such file or directory
Jun 22 09:57:57 Server21 sssd[16031]: Exiting the SSSD. Could not restart critical service [COMPANYNAME.LOCAL].
Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Control process exited, code=exited status=1
Jun 22 09:57:57 Server21 systemd[1]: Failed to start System Security Services Daemon.
Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Unit entered failed state.
Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Failed with result 'exit-code'.

其中唯一krb5.conf针对我的部分是[libdefaults]

kyle@Server21:~$ cat /etc/krb5.conf
[libdefaults]
        default_realm = COMAPNYNAME.LOCAL

虽然在之前的安装中我以为还有其他东西,[realms]但我不记得是什么了。 Fedora 指南谈到了当 DNS 查找不起作用时在那里添加一些东西,但没有提供足够的细节让我准确地弄清楚那里应该有什么。

我对以下内容的修改smb.conf

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = COMPANYNAME
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = COMPANYNAME.LOCAL
   security = ads

我的sssd.conf

kyle@Server21:~$ sudo cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = COMPANYNAME.LOCAL

[domain/COMPANYNAME.LOCAL]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u

由于 Ubuntu 指南说所有权和权限很重要:

kyle@Server21:~$ sudo ls -la /etc/sssd
total 12
drwx--x--x   2 sssd sssd 4096 Jun 21 14:34 .
drwxr-xr-x 103 root root 4096 Jun 22 10:21 ..
-rw-------   1 root root  172 Jun 21 14:22 sssd.conf

Ubuntu 指南还提到该hosts文件可能会导致 DNS 更新出现问题,但我认为我正确地遵循了他们的示例:

kyle@Server21:~$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       Server21
192.168.XXX.XXX Server21 Server21.COMPANYNAME.LOCAL

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

那么我哪里出错了?域控制器表示它是域的一部分。我已经安装了 Apache 和 OpenSSH 并且可以访问。但是这个服务器还有很多事情要做,所以我想确保在继续之前一切都配置正确。


编辑:

hosts根据建议更改了文件这一页现在看起来像这样:

kyle@Server21:~$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       Server21.COMPANYNAME.LOCAL Server21
192.168.11.11   Server21.COMPANYNAME.LOCAL Server21

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

现在getent返回:

kyle@Server21:~$ sudo getent hosts Server21
127.0.1.1       Server21.COMPANYNAME.LOCAL Server21 Server21
192.168.11.11   Server21.COMPANYNAME.LOCAL Server21 Server21

现在net ads join有不同的错误消息:

kyle@Server21:~$ sudo net ads join -k
Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.

到目前为止,我发现的关于此错误的唯一建议是确保 AD 服务器位于resolv.conf并且它的 IP 是唯一的条目。

kyle@Server21:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.XXX.XXX

回答评论:

kyle@Server21:~$ nslookup -type=SRV _ldap._tcp.companyname.local
Server:         192.168.XXX.XXX
Address:        192.168.XXX.XXX#53

_ldap._tcp.companyname.local      service = 0 100 389 companynamedc.companyname.local.

在此过程中,SSSD 得以启动并且现在处于活动状态。尽管我不确定我做了什么来修复它。

答案1

问题似乎是我的管理员在域控制器上为此服务器创建了一个条目。这显然导致了冲突,导致 Kerberos 在尝试加入时遇到以下错误:

kyle@Server21:~$ sudo net ads join -k
Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.

我不确定这个错误是否完全准确,因为我的管理员说服务器已加入他的域并realmd表明我也已加入:

kyle@Server21:~$ realm join COMPANYNAME.LOCAL
realm: Already joined to this domain

我成功加入 Kerberos 所遵循的步骤如下:

  1. 管理员删除了域控制器中的条目
  2. 使用以下命令重新运行 Kerberos 配置:sudo dpkg-reconfigure krb5-config
  3. 选择配置中的选项以将域控制器显式添加到以下[realms]部分krb5.conf
  4. 更改主机名以确保创建新记录
  5. 使用以下方式拉出一张新票kinit
  6. 使用加入域sudo net ads join -k

最后结果:

kyle@SERV21:~$ sudo net ads join -k  
Using short domain name -- COMPANYNAME  
Joined 'SERV21' to dns domain 'CompanyName.Local'

答案2

在 Server21 上尝试一下:

realm leave -v -U [your admin username] COMPANYNAME.LOCAL

然后

realm join -v -U [your admin username] COMPANYNAME.LOCAL

相关内容