我正在尝试将 Ubuntu 14.04 服务器加入 Windows 2003 R2 域。我的管理员说,从控制器端来看,它是域的一部分。但是SSSD似乎无法启动并且DNS更新失败。
我一直在遵循各种指南来尝试使其正常工作,但未能成功完成其中任何一个且没有错误。
Ubuntu 服务器指南
千根
网络迷
Fedora SSSD 指南
Discovery 似乎运行得很好:
kyle@Server21:~$ realm discover COMPANYNAME.LOCAL
CompanyName.Local
type: kerberos
realm-name: COMPANYNAME.LOCAL
domain-name: companyname.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
companyname.local
type: kerberos
realm-name: COMPANYNAME.LOCAL
domain-name: companyname.local
configured: no
realmd说我也加入了域:
kyle@Server21:~$ realm join COMPANYNAME.LOCAL
realm: Already joined to this domain
Kerberos 获取了我的管理员身份验证:
kyle@Server21:~$ kinit -V administrator
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
但当需要加入时,DNS 更新失败:
kyle@Server21:~$ sudo net ads join -k
Using short domain name -- COMPANYNAME
Joined 'SERVER21' to dns domain 'CompanyName.Local'
No DNS domain configured for server21. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
SSSD 启动时仍然存在问题:
kyle@Server21:~$ systemctl status sssd.service
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2016-06-22 09:57:57 EDT; 37min ago
Process: 16027 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=1/FAILURE)
Jun 22 09:57:55 Server21 sssd[16038]: Starting up
Jun 22 09:57:55 Server21 sssd[16041]: Starting up
Jun 22 09:57:55 Server21 sssd[16042]: Starting up
Jun 22 09:57:56 Server21 sssd[be[16043]: Starting up
Jun 22 09:57:57 Server21 sssd[be[16043]: Failed to read keytab [default]: No such file or directory
Jun 22 09:57:57 Server21 sssd[16031]: Exiting the SSSD. Could not restart critical service [COMPANYNAME.LOCAL].
Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Control process exited, code=exited status=1
Jun 22 09:57:57 Server21 systemd[1]: Failed to start System Security Services Daemon.
Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Unit entered failed state.
Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Failed with result 'exit-code'.
其中唯一krb5.conf针对我的部分是[libdefaults]:
kyle@Server21:~$ cat /etc/krb5.conf
[libdefaults]
default_realm = COMAPNYNAME.LOCAL
虽然在之前的安装中我以为还有其他东西,[realms]但我不记得是什么了。 Fedora 指南谈到了当 DNS 查找不起作用时在那里添加一些东西,但没有提供足够的细节让我准确地弄清楚那里应该有什么。
我对以下内容的修改smb.conf:
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = COMPANYNAME
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = COMPANYNAME.LOCAL
security = ads
我的sssd.conf
kyle@Server21:~$ sudo cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = COMPANYNAME.LOCAL
[domain/COMPANYNAME.LOCAL]
id_provider = ad
access_provider = ad
override_homedir = /home/%d/%u
由于 Ubuntu 指南说所有权和权限很重要:
kyle@Server21:~$ sudo ls -la /etc/sssd
total 12
drwx--x--x 2 sssd sssd 4096 Jun 21 14:34 .
drwxr-xr-x 103 root root 4096 Jun 22 10:21 ..
-rw------- 1 root root 172 Jun 21 14:22 sssd.conf
Ubuntu 指南还提到该hosts文件可能会导致 DNS 更新出现问题,但我认为我正确地遵循了他们的示例:
kyle@Server21:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 Server21
192.168.XXX.XXX Server21 Server21.COMPANYNAME.LOCAL
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
那么我哪里出错了?域控制器表示它是域的一部分。我已经安装了 Apache 和 OpenSSH 并且可以访问。但是这个服务器还有很多事情要做,所以我想确保在继续之前一切都配置正确。
编辑:
我hosts根据建议更改了文件这一页现在看起来像这样:
kyle@Server21:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 Server21.COMPANYNAME.LOCAL Server21
192.168.11.11 Server21.COMPANYNAME.LOCAL Server21
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
现在getent返回:
kyle@Server21:~$ sudo getent hosts Server21
127.0.1.1 Server21.COMPANYNAME.LOCAL Server21 Server21
192.168.11.11 Server21.COMPANYNAME.LOCAL Server21 Server21
现在net ads join有不同的错误消息:
kyle@Server21:~$ sudo net ads join -k
Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.
到目前为止,我发现的关于此错误的唯一建议是确保 AD 服务器位于resolv.conf并且它的 IP 是唯一的条目。
kyle@Server21:~$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.XXX.XXX
回答评论:
kyle@Server21:~$ nslookup -type=SRV _ldap._tcp.companyname.local
Server: 192.168.XXX.XXX
Address: 192.168.XXX.XXX#53
_ldap._tcp.companyname.local service = 0 100 389 companynamedc.companyname.local.
在此过程中,SSSD 得以启动并且现在处于活动状态。尽管我不确定我做了什么来修复它。
答案1
问题似乎是我的管理员在域控制器上为此服务器创建了一个条目。这显然导致了冲突,导致 Kerberos 在尝试加入时遇到以下错误:
kyle@Server21:~$ sudo net ads join -k
Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.
我不确定这个错误是否完全准确,因为我的管理员说服务器已加入他的域并realmd表明我也已加入:
kyle@Server21:~$ realm join COMPANYNAME.LOCAL
realm: Already joined to this domain
我成功加入 Kerberos 所遵循的步骤如下:
- 管理员删除了域控制器中的条目
- 使用以下命令重新运行 Kerberos 配置:
sudo dpkg-reconfigure krb5-config - 选择配置中的选项以将域控制器显式添加到以下
[realms]部分krb5.conf - 更改主机名以确保创建新记录
- 使用以下方式拉出一张新票
kinit - 使用加入域
sudo net ads join -k
最后结果:
kyle@SERV21:~$ sudo net ads join -k
Using short domain name -- COMPANYNAME
Joined 'SERV21' to dns domain 'CompanyName.Local'
答案2
在 Server21 上尝试一下:
realm leave -v -U [your admin username] COMPANYNAME.LOCAL
然后
realm join -v -U [your admin username] COMPANYNAME.LOCAL