active-directory – 无法使用samba工具net或realm / sssd加入域

net ads join -S domain.example.org -U name
Enter name's password:
Failed to join domain: failed to set machine kerberos encryption types: Insufficient access

与pam,krb5,samba,dns以及远程活动目录服务器中的对象相关的设置已正确配置,这意味着系统将使用rhel6和ubuntu 14.04成功绑定.

我无法找到有关我所遇到的具体错误的更多信息.我试图在krb5.conf中设置allow_weak_crypto = true只是为了看看它是否与它有关,但它没有效果.

我在https://technet.microsoft.com/en-us/library/bb463167.aspx中遵循了一些故障排除提示,但没有运气,我尝试过的东西似乎工作正常.

具体来说,我能够执行以下操作,这意味着我可以获取用户名的初始凭证：

kinit name
Password for name@domain.example.org:

我也可以使用ktutil生成一个keytab文件,当我将它移动到/etc/krb5.keytab klist -e时,它会显示正确的内容.但网络广告加入仍然失败.

编辑：在检查rhel7 samba源包后,我在README.dc中找到以下内容：

We’ll provide Samba AD DC functionality as soon as its support of MIT
Kerberos KDC will be ready.

我怀疑这可能是问题,我必须等到它准备好了.

Edit2：使用realm和sssd似乎也有同样的问题.做完之后：

realm -v join --user=example ad.example.org

我发现以下错误：

* LANG=C /usr/sbin/adcli join --verbose --domain ad.example.org --domain-realm AD.EXAMPLE.ORG --domain-controller 192.0.2.11 --login-type user --login-user example --stdin-password
! Insufficient permissions to set encryption types on computer account: CN=example,OU=w,OU=x,DC=ad,DC=example,DC=org: 00002098: SecErr: DSID-03150BB9,problem 4003 (INSUFF_ACCESS_RIGHTS),data 0

注意,这适用于rhel6.我也无权在那里更改AD服务器或我的帐户.

rhel版本为7.2,相关软件包的版本如下：

Name        : realmd
Version     : 0.16.1
--
Name        : adcli
Version     : 0.7.5
--
Name        : krb5-workstation
Version     : 1.13.2
--
Name        : samba-common
Version     : 4.2.3

journalctl -e SYSLOG_IDENTIFIER = realmd的清理输出：

Jan 21 14:56:20 host.example.org realmd[25796]:  * Using domain name: example.org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using computer account name: HOST
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using domain realm: example.org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Calculated computer account name from fqdn: HOST
Jan 21 14:56:20 host.example.org realmd[25796]:  * Generated 120 character computer password
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using keytab: FILE:/etc/krb5.keytab
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using fully qualified name: host.example.org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using domain name: example.org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using computer account name: HOST
Jan 21 14:56:20 host.example.org realmd[25796]:  * Using domain realm: example.org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Looked up short domain name: AD
Jan 21 14:56:20 host.example.org realmd[25796]:  * Found computer account for HOST$at: CN=host,DC=org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Set computer password
Jan 21 14:56:20 host.example.org realmd[25796]:  * Retrieved kvno '87' for computer account in directory: CN=host,DC=org
Jan 21 14:56:20 host.example.org realmd[25796]:  ! Insufficient permissions to set encryption types on computer account: CN=host,Jan 21 14:56:20 host.example.org realmd[25796]:  * Modifying computer account: userAccountControl
Jan 21 14:56:20 host.example.org realmd[25796]:  * Modifying computer account: operatingSystem,operatingSystemVersion,operatingSystemServicePack
Jan 21 14:56:20 host.example.org realmd[25796]:  ! Couldn't set operatingSystem,operatingSystemServicePack on computer account: CN=host,DC=org: Insufficient access
Jan 21 14:56:20 host.example.org realmd[25796]:  * Updated existing computer account: CN=host,DC=org
Jan 21 14:56:20 host.example.org realmd[25796]:  * Discovered which keytab salt to use
Jan 21 14:56:20 host.example.org realmd[25796]:  * Added the entries to the keytab: HOST$@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab
Jan 21 14:56:20 host.example.org realmd[25796]:  * Added the entries to the keytab: HOST/HOST@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab
Jan 21 14:56:20 host.example.org realmd[25796]:  * Added the entries to the keytab: HOST/host.example.org@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab
Jan 21 14:56:21 host.example.org realmd[25796]:  * Added the entries to the keytab: RestrictedKrbHost/HOST@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab
Jan 21 14:56:21 host.example.org realmd[25796]:  * Added the entries to the keytab: RestrictedKrbHost/host.example.org@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab
Jan 21 14:56:21 host.example.org realmd[25796]: process exited: 25879
Jan 21 14:56:21 host.example.org realmd[25796]:  * /usr/bin/systemctl enable sssd.service
Jan 21 14:56:21 host.example.org realmd[25796]: process started: 25880
Jan 21 14:56:21 host.example.org realmd[25796]: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
Jan 21 14:56:21 host.example.org realmd[25796]: process exited: 25880
Jan 21 14:56:21 host.example.org realmd[25796]:  * /usr/bin/systemctl restart sssd.service
Jan 21 14:56:21 host.example.org realmd[25796]: process started: 25894
Jan 21 14:56:22 host.example.org realmd[25796]: process exited: 25894
Jan 21 14:56:22 host.example.org realmd[25796]:  * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.se
Jan 21 14:56:22 host.example.org realmd[25796]: process started: 25901
Jan 21 14:56:23 host.example.org realmd[25796]: process exited: 25901
Jan 21 14:56:23 host.example.org realmd[25796]:  * Successfully enrolled machine in realm
Jan 21 14:56:23 host.example.org realmd[25796]: released daemon: current-invocation
Jan 21 14:56:23 host.example.org realmd[25796]: client gone away: :1.3100
Jan 21 14:56:23 host.example.org realmd[25796]: released daemon: :1.3100
Jan 21 14:57:23 host.example.org realmd[25796]: quitting realmd service after timeout
Jan 21 14:57:23 host.example.org realmd[25796]: stopping service

净广告的净化输出-P状态：

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: host
distinguishedName: CN=host,DC=org
instanceType: 4
whenCreated: 2012
whenChanged: 2016
uSNCreated: 1687590
memberOf: CN=group,OU=groups,DC=org
uSNChanged: 1212121212
name: host
objectGUID: x
userAccountControl: 6
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 1
lastLogoff: 0
lastLogon: 1
localPolicyFlags: 0
pwdLastSet: 1
primaryGroupID: 600
objectSid: S-1-5-21
accountExpires: 9
logonCount: 1
sAMAccountName: HOST$
sAMAccountType: 8
dNSHostName: host.ad.example.org
servicePrincipalName: RestrictedKrbHost/HOST
servicePrincipalName: RestrictedKrbHost/host.ad.example.org
servicePrincipalName: HOST/host.ad.example.org
servicePrincipalName: HOST/HOST
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=org
isCriticalSystemObject: FALSE
dSCorePropagationData: 2
dSCorePropagationData: 3
dSCorePropagationData: 4
dSCorePropagationData: 5
dSCorePropagationData: 6
lastLogonTimestamp: 1