我正在使用运行AD DS的Windows 2012计算机设置新networking。 我有几个Ubuntu 14.04我想join域进行身份validation。 我已经成功地在这些服务器上使用realmd,sssd和adcli这样做,这非常简单。
但是,至less在另外两台服务器上,我无法获得相同的设置。 两者之间的巨大差异在于它们驻留在不同的子网中。 我已经检查: – 路由 – DNS – 禁用防火墙和DC上的所有防火墙规则。
我可以成功地发出一个kinit,但是,当adcli声称它不能联系KDC。
希望你们能指出我的失败。
亲切的问候
root @ lb02:〜#ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:ea:a5:b6 brd ff:ff:ff:ff:ff:ff inet ***.***.***.**/** brd ***.***.***.*** scope global net valid_lft forever preferred_lft forever inet6 .... 3: www: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:70:11:86 brd ff:ff:ff:ff:ff:ff inet 10.2.1.2/24 brd 10.2.1.255 scope global www valid_lft forever preferred_lft forever inet6 .... root @ lb02:〜#cat /etc/krb5.conf
[logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = ACME.COM kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = trye [realms] ACME.COM = { kdc = ad01.acme.com admin_server = ad01.acme.com default_domain = ACME.COM } [domain_realm] .acme.com = ACME.COM acme.com = ACME.COM
root @ lb02:〜#klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 07/08/2015 16:19:55 07/09/2015 02:19:55 krbtgt/[email protected] renew until 07/09/2015 16:19:52
root @ lb02:〜#dig -t SRV _kerberos._tcp.acme.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._tcp.acme.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13722 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_kerberos._tcp.acme.com. IN SRV ;; ANSWER SECTION: _kerberos._tcp.acme.com. 600 IN SRV 0 100 88 ad01.acme.com. ;; ADDITIONAL SECTION: ad01.acme.com. 3600 IN A 10.2.4.1 ;; Query time: 2 msec ;; SERVER: 10.2.4.1#53(10.2.4.1) ;; WHEN: Wed Jul 08 16:24:43 CEST 2015 ;; MSG SIZE rcvd: 107
root @ lb02:〜#dig -t SRV _kerberos._udp.acme.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._udp.acme.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3917 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_kerberos._udp.acme.com. IN SRV ;; ANSWER SECTION: _kerberos._udp.acme.com. 600 IN SRV 0 100 88 ad01.acme.com. ;; ADDITIONAL SECTION: ad01.acme.com. 3600 IN A 10.2.4.1 ;; Query time: 1 msec ;; SERVER: 10.2.4.1#53(10.2.4.1) ;; WHEN: Wed Jul 08 16:46:25 CEST 2015 ;; MSG SIZE rcvd: 107
root @ lb02:〜#ping -c4 ad01.acme.com
PING ad01.acme.com (10.2.4.1) 56(84) bytes of data. 64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=1 ttl=127 time=0.651 ms 64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=2 ttl=127 time=0.620 ms 64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=3 ttl=127 time=0.721 ms 64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=4 ttl=127 time=0.750 ms --- ad01.acme.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.620/0.685/0.750/0.058 ms
C:\ Users \ Administrator> ping lb02
Pinging lb02.acme.com [10.2.1.2] with 32 bytes of data: Reply from 10.2.1.2: bytes=32 time<1ms TTL=63 Reply from 10.2.1.2: bytes=32 time<1ms TTL=63 Reply from 10.2.1.2: bytes=32 time<1ms TTL=63 Reply from 10.2.1.2: bytes=32 time<1ms TTL=63 Ping statistics for 10.2.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
kvanhagen @ lb02:〜$ telnet ad01.acme.com 88
Trying 10.2.4.1... Connected to ad01.acme.com.
root @ lb02:〜#realm –membership-software = adcli发现acme.com
acme.com type: kerberos realm-name: ACME.COM domain-name: acme.com configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin
root @ lb02:〜#realm –verbosejoinacme.com
* Resolving: _ldap._tcp.acme.com * Performing LDAP DSE lookup on: 10.2.4.1 * Successfully discovered: acme.com * Unconditionally checking packages * Resolving required packages * LANG=C /usr/sbin/adcli join --verbose --domain acme.com --domain-realm ACME.COM --domain-controller 10.2.4.1 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-MCBF1X * Using domain name: acme.com * Calculated computer account name from fqdn: LB02 * Using domain realm: acme.com * Sending netlogon pings to domain controller: cldap://10.2.4.1 * Received NetLogon info from: ad01.acme.com * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-v7Y0Pg/krb5.d/adcli-krb5-conf-eJg20h * Looked up short domain name: ACME * Using fully qualified name: lb02 * Using domain name: acme.com * Using computer account name: LB02 * Using domain realm: acme.com * Calculated computer account name from fqdn: LB02 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Using fully qualified name: lb02 * Using domain name: acme.com * Using computer account name: LB02 * Using domain realm: acme.com * Looked up short domain name: ACME * Found computer account for LB02$ at: CN=LB02,CN=Computers,DC=acme,DC=com ! Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm adcli: joining domain acme.com failed: Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm ! Failed to join the domain realm: Couldn't join realm: Failed to join the domain