我对Active Directory了解不多,但是对于它的function有一些基本的了解。 我一直在试图join一个Fedora 20的机器到域名,并一直有一些问题。 我运行realm命令是这样的:
sudo realm join -v -U [admin user] [hostname of RODC]
出于某种原因,我必须使用只读域控制器的主机名。 如果我使用域的名称,我得到以下错误:
* Resolving: _ldap._tcp.[domain] ! Discovery timed out after 15 seconds
如果我指定了RODC的主机名,一切正常:解决方法是,要求在命令中指定的admin用户的密码进行身份validation,但在为计算机帐户设置密码时失败:
* Resolving: _ldap._tcp.[RODC host name] * Resolving: [RODC host name] * Performing LDAP DSE lookup on: [internal IP of RODC] * Successfully discovered: [domain] Password for [domain admin]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain [domain] --domain-realm [domain, in caps] --domain-controller [internal IP of RODC] --login-type user --login-user [domain admin] --stdin-password * Using domain name: [domain] * Calculated computer account name from fqdn: [machine host name, in caps/computer account] * Using domain realm: [domain] * Sending cldap pings to domain controller: [internal IP of RODC] * Received NetLogon info from: [host name of RODC, in caps].[domain] * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-pMXPuH/krb5.d/adcli-krb5-conf-OcXLS5 * Authenticated as user: [admin user]@[domain, in caps] * Looked up short domain name: [short name] * Using fully qualified name: [machine host name].[domain] * Using domain name: [domain name] * Using computer account name: [computer account] * Using domain realm: [domain name] * Enrolling computer account name calculated from fqdn: [computer account] * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Using fully qualified name: [machine host name].[domain] * Using domain name: [domain] * Using computer account name: [computer account] * Using domain realm: [domain] * Looked up short domain name: [short name] * Found computer account for [computer account]$ at: CN=[computer account],OU=[redacted] Computers,OU=[redacted],OU=[redacted],OU=[redacted],DC=[redacted],DC=[redacted],DC=[redacted] ! Couldn't set password for computer account: [computer account]$: Incorrect net address adcli: joining domain [domain] failed: Couldn't set password for computer account: [computer account]$: Incorrect net address ! Failed to join the domain realm: Couldn't join realm: Failed to join the domain
做了一些search,我发现一篇TechNet文章提到了“错误的networking地址”错误作为DNS问题。 我应该在哪里首先解决这个问题?
您将无法在Active Directory RODC上创build任何内容。 RO部分代表只读。 与您的Active Directorypipe理员一起获取可写域控制器的主机名。
您看到此错误的原因是您无法写入RODC来创build密码。 AD在创build对象时创build一个计算机密码,并在join域时随机生成一个密码。
你必须依靠caching服务器密码的Kerberos,当你joinRODC时,它不会提示你。 首先在特定Linux服务器的可写DC上创build一个keytab文件,然后将其移到那里,最好是/etc/krb5.keytab ,并将权限设置为600。