Kerberos 加入 Active Directory 失敗

我嘗試在 Ubuntu 12.04.05 中加入 Active Directory 和 Samba 4。

當我執行時，host -t SRV _kerberos._udp.test.sg我收到錯誤：

Host _kerberos._udp.test.sg not found: 3(NXDOMAIN)

同時

$# host -t SRV _ldap._tcp.test.sg 
_ldap._tcp.test.sg has SRV record 0 0 389 4ecapsvsg6.test.sg.
$# host -t A 4ECAPSVSG6.test.sg
4ECAPSVSG6.test.sg has address 10.153.64.5

我的/etc/samba/smb.conf：

# Global parameters
[global]
  workgroup = TEST
  realm = TEST.SG
  netbios name = 4ECAPSVSG6
  server role = active directory domain controller
  dns forwarder = 10.153.64.5
  security = ads
  use kerberos keytab = true
  password server = 4ecapsvsg6.test.sg
  allow dns updates = nonsecure and secure
  bind interfaces only = no
  server services = +smb -s3fs
  dcerpc endpoint servers = +winreg +srvsvc
  passdb backend = samba4
  server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns 

我的/etc/krb5.conf：

[libdefaults]
   default_realm = TEST.SG
   krb4_config = /etc/krb.conf
   krb4_realms = /etc/krb.realms
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true
[realms]
    4ECAP.SG = {
         kdc = 4ecapsvsg6.test.sg:88
         admin_server = 4ecapsvsg6.test.sg:749
         default_domain = test.sg
   }
[domain_realm]
   .test.sg = TEST.SG
   test.sg = TEST.SG
[login]
   krb4_convert = true
   krb4_get_tickets = false

我的/etc/hosts：

 127.0.0.1       localhost
 127.0.1.1       4ecapsvsg6
 # The following lines are desirable for IPv6 capable hosts
 ::1     ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 10.153.64.5     4ecapsvsg6.test.sg     4ecapsvsg6

解決辦法是什麼？沒有它，我無法使用以下命令執行加入域：

sudo net ads join

出現錯誤，例如

Failed to join domain: failed to lookup DC info for domain 'TEST' over rpc: Logon failure

我做了kinit administrator，klist結果：

  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: administrator@TEST.SG
   Valid starting       Expires              Service principal
   26/03/2015 14:29:04  27/03/2015 00:29:04  krbtgt/TEST.SG@TEST.SG
   renew until 27/03/2015 14:29:00

上週我用Google搜尋後，幸運的是我找到了這個網站http://edoceo.com/howto/samba4

碰巧我需要編輯我的 dnsmasq (/etc/dnsmasq.conf) 添加這一行：

srv-host=_kerberos._tcp.test.sg,4ecapsvsg6.test.sg,88 srv-host=_kerberos._tcp.dc._msdcs.test.sg,4ecapsvsg6.test.sg,88 srv-host=_kerberos._udp。 test.sg,4ecapsvsg6.test.sg,88

srv-host=_kpasswd._tcp.test.sg,4ecapsvsg6.test.sg,464 srv-host=_kpasswd._udp.test.sg,4ecapsvsg6.test.sg,464

並禁用 Bind9（預設情況下與 Samba4 一起安裝）

現在問題消失了:)

只剩下一個問題，如何連接到 AD（我將為此打開另一個執行緒）

引用自：https://unix.stackexchange.com/questions/193541