Ubuntu
加入 Active Directory 域時遇到問題
我正在嘗試將 Ubuntu 14.04 伺服器加入 Windows 2003 R2 域。我的管理員說,從控制器端,它是域的一部分。但是 SSSD 似乎無法啟動並且 DNS 更新失敗。
我一直在遵循各種指南來嘗試使其正常工作,但未能成功完成其中任何一個而沒有錯誤。
發現似乎工作得很好:
kyle@Server21:~$ realm discover COMPANYNAME.LOCAL CompanyName.Local type: kerberos realm-name: COMPANYNAME.LOCAL domain-name: companyname.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-realm-logins companyname.local type: kerberos realm-name: COMPANYNAME.LOCAL domain-name: companyname.local configured: no
realmd說我也加入了域:kyle@Server21:~$ realm join COMPANYNAME.LOCAL realm: Already joined to this domainKerberos 接受了我的管理員身份驗證:
kyle@Server21:~$ kinit -V administrator Using default cache: /tmp/krb5cc_0 Using principal: administrator@COMPANYNAME.LOCAL Password for administrator@COMPANYNAME.LOCAL: Authenticated to Kerberos v5但是到了加入的時候,DNS 更新失敗了:
kyle@Server21:~$ sudo net ads join -k Using short domain name -- COMPANYNAME Joined 'SERVER21' to dns domain 'CompanyName.Local' No DNS domain configured for server21. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER並且 SSSD 在開始時仍然存在問題:
kyle@Server21:~$ systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2016-06-22 09:57:57 EDT; 37min ago Process: 16027 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=1/FAILURE) Jun 22 09:57:55 Server21 sssd[16038]: Starting up Jun 22 09:57:55 Server21 sssd[16041]: Starting up Jun 22 09:57:55 Server21 sssd[16042]: Starting up Jun 22 09:57:56 Server21 sssd[be[16043]: Starting up Jun 22 09:57:57 Server21 sssd[be[16043]: Failed to read keytab [default]: No such file or directory Jun 22 09:57:57 Server21 sssd[16031]: Exiting the SSSD. Could not restart critical service [COMPANYNAME.LOCAL]. Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Control process exited, code=exited status=1 Jun 22 09:57:57 Server21 systemd[1]: Failed to start System Security Services Daemon. Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Unit entered failed state. Jun 22 09:57:57 Server21 systemd[1]: sssd.service: Failed with result 'exit-code'.唯一
krb5.conf特定於我的部分是[libdefaults]:kyle@Server21:~$ cat /etc/krb5.conf [libdefaults] default_realm = COMAPNYNAME.LOCAL雖然在以前的安裝中我認為還有其他東西,
[realms]但我不記得是什麼。Fedora 指南討論了當 DNS 查找不起作用時在其中添加一些內容,但沒有詳細說明我到底應該在那裡添加什麼。我對以下內容的修改
smb.conf:[global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = COMPANYNAME client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = COMPANYNAME.LOCAL security = ads我的
sssd.confkyle@Server21:~$ sudo cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = COMPANYNAME.LOCAL [domain/COMPANYNAME.LOCAL] id_provider = ad access_provider = ad override_homedir = /home/%d/%u而且由於 Ubuntu 指南說所有權和權限很重要:
kyle@Server21:~$ sudo ls -la /etc/sssd total 12 drwx--x--x 2 sssd sssd 4096 Jun 21 14:34 . drwxr-xr-x 103 root root 4096 Jun 22 10:21 .. -rw------- 1 root root 172 Jun 21 14:22 sssd.confUbuntu 指南還提到該
hosts文件可能會導致 DNS 更新出現問題,但我認為我正確地遵循了他們的範例:kyle@Server21:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 Server21 192.168.XXX.XXX Server21 Server21.COMPANYNAME.LOCAL # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters那麼我在哪裡錯了?域控制器說它是域的一部分。我有 Apache 和 OpenSSH 都可以訪問。但是這個伺服器還有很多事情要做,所以我想在繼續之前確保一切都正確配置。
編輯:
hosts我根據此頁面的建議更改了我的文件,現在它看起來像這樣:kyle@Server21:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 Server21.COMPANYNAME.LOCAL Server21 192.168.11.11 Server21.COMPANYNAME.LOCAL Server21 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters現在
getent返回:kyle@Server21:~$ sudo getent hosts Server21 127.0.1.1 Server21.COMPANYNAME.LOCAL Server21 Server21 192.168.11.11 Server21.COMPANYNAME.LOCAL Server21 Server21現在有
net ads join一個不同的錯誤資訊:kyle@Server21:~$ sudo net ads join -k Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.到目前為止,我在此錯誤上找到的唯一建議是確保 AD 伺服器在其中,
resolv.conf並且它的 IP 是唯一的條目。kyle@Server21:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.XXX.XXX要回答評論:
kyle@Server21:~$ nslookup -type=SRV _ldap._tcp.companyname.local Server: 192.168.XXX.XXX Address: 192.168.XXX.XXX#53 _ldap._tcp.companyname.local service = 0 100 389 companynamedc.companyname.local.SSSD 能夠啟動並且現在處於活動狀態的某個地方。雖然我不確定我做了什麼來修復它。
問題似乎是我的管理員在域控制器上為此伺服器創建了一個條目。這顯然引起了衝突,導致 Kerberos 在嘗試加入時遇到以下錯誤:
kyle@Server21:~$ sudo net ads join -k Failed to join domain: failed to lookup DC info for domain 'COMPANYNAME.LOCAL' over rpc: An internal error occurred.我不確定這個錯誤是否完全準確,因為我的管理員說伺服器已加入他的域並
realmd表明我也加入了:kyle@Server21:~$ realm join COMPANYNAME.LOCAL realm: Already joined to this domain我為成功加入 Kerberos 所遵循的步驟如下:
- 管理員刪除了域控制器中的條目
- 使用以下命令重新執行 Kerberos 配置:
sudo dpkg-reconfigure krb5-config- 選擇配置中的選項以將域控制器顯式添加
[realms]到krb5.conf- 更改主機名以確保創建新記錄
- 使用拉出一張新票
kinit- 加入域使用
sudo net ads join -k最後結果:
kyle@SERV21:~$ sudo net ads join -k Using short domain name -- COMPANYNAME Joined 'SERV21' to dns domain 'CompanyName.Local'