active-directory – 无法使用samba工具net或realm / sssd加入域
在rhel7服务器上,我试图将服务器加入域,但是我遇到以下故障:
net ads join -S domain.example.org -U name Enter name's password: Failed to join domain: failed to set machine kerberos encryption types: Insufficient access 与pam,krb5,samba,dns以及远程活动目录服务器中的对象相关的设置已正确配置,这意味着系统将使用rhel6和ubuntu 14.04成功绑定. 我无法找到有关我所遇到的具体错误的更多信息.我试图在krb5.conf中设置allow_weak_crypto = true只是为了看看它是否与它有关,但它没有效果. 我在https://technet.microsoft.com/en-us/library/bb463167.aspx中遵循了一些故障排除提示,但没有运气,我尝试过的东西似乎工作正常. 具体来说,我能够执行以下操作,这意味着我可以获取用户名的初始凭证: kinit name Password for name@domain.example.org: 我也可以使用ktutil生成一个keytab文件,当我将它移动到/etc/krb5.keytab klist -e时,它会显示正确的内容.但网络广告加入仍然失败. 编辑:在检查rhel7 samba源包后,我在README.dc中找到以下内容:
我怀疑这可能是问题,我必须等到它准备好了. Edit2:使用realm和sssd似乎也有同样的问题.做完之后: realm -v join --user=example ad.example.org 我发现以下错误: * LANG=C /usr/sbin/adcli join --verbose --domain ad.example.org --domain-realm AD.EXAMPLE.ORG --domain-controller 192.0.2.11 --login-type user --login-user example --stdin-password ! Insufficient permissions to set encryption types on computer account: CN=example,OU=w,OU=x,DC=ad,DC=example,DC=org: 00002098: SecErr: DSID-03150BB9,problem 4003 (INSUFF_ACCESS_RIGHTS),data 0 注意,这适用于rhel6.我也无权在那里更改AD服务器或我的帐户. rhel版本为7.2,相关软件包的版本如下: Name : realmd Version : 0.16.1 -- Name : adcli Version : 0.7.5 -- Name : krb5-workstation Version : 1.13.2 -- Name : samba-common Version : 4.2.3 journalctl -e SYSLOG_IDENTIFIER = realmd的清理输出: Jan 21 14:56:20 host.example.org realmd[25796]: * Using domain name: example.org Jan 21 14:56:20 host.example.org realmd[25796]: * Using computer account name: HOST Jan 21 14:56:20 host.example.org realmd[25796]: * Using domain realm: example.org Jan 21 14:56:20 host.example.org realmd[25796]: * Calculated computer account name from fqdn: HOST Jan 21 14:56:20 host.example.org realmd[25796]: * Generated 120 character computer password Jan 21 14:56:20 host.example.org realmd[25796]: * Using keytab: FILE:/etc/krb5.keytab Jan 21 14:56:20 host.example.org realmd[25796]: * Using fully qualified name: host.example.org Jan 21 14:56:20 host.example.org realmd[25796]: * Using domain name: example.org Jan 21 14:56:20 host.example.org realmd[25796]: * Using computer account name: HOST Jan 21 14:56:20 host.example.org realmd[25796]: * Using domain realm: example.org Jan 21 14:56:20 host.example.org realmd[25796]: * Looked up short domain name: AD Jan 21 14:56:20 host.example.org realmd[25796]: * Found computer account for HOST$at: CN=host,DC=org Jan 21 14:56:20 host.example.org realmd[25796]: * Set computer password Jan 21 14:56:20 host.example.org realmd[25796]: * Retrieved kvno '87' for computer account in directory: CN=host,DC=org Jan 21 14:56:20 host.example.org realmd[25796]: ! Insufficient permissions to set encryption types on computer account: CN=host,Jan 21 14:56:20 host.example.org realmd[25796]: * Modifying computer account: userAccountControl Jan 21 14:56:20 host.example.org realmd[25796]: * Modifying computer account: operatingSystem,operatingSystemVersion,operatingSystemServicePack Jan 21 14:56:20 host.example.org realmd[25796]: ! Couldn't set operatingSystem,operatingSystemServicePack on computer account: CN=host,DC=org: Insufficient access Jan 21 14:56:20 host.example.org realmd[25796]: * Updated existing computer account: CN=host,DC=org Jan 21 14:56:20 host.example.org realmd[25796]: * Discovered which keytab salt to use Jan 21 14:56:20 host.example.org realmd[25796]: * Added the entries to the keytab: HOST$@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab Jan 21 14:56:20 host.example.org realmd[25796]: * Added the entries to the keytab: HOST/HOST@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab Jan 21 14:56:20 host.example.org realmd[25796]: * Added the entries to the keytab: HOST/host.example.org@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab Jan 21 14:56:21 host.example.org realmd[25796]: * Added the entries to the keytab: RestrictedKrbHost/HOST@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab Jan 21 14:56:21 host.example.org realmd[25796]: * Added the entries to the keytab: RestrictedKrbHost/host.example.org@AD.EXAMPLE.ORG: FILE:/etc/krb5.keytab Jan 21 14:56:21 host.example.org realmd[25796]: process exited: 25879 Jan 21 14:56:21 host.example.org realmd[25796]: * /usr/bin/systemctl enable sssd.service Jan 21 14:56:21 host.example.org realmd[25796]: process started: 25880 Jan 21 14:56:21 host.example.org realmd[25796]: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service. Jan 21 14:56:21 host.example.org realmd[25796]: process exited: 25880 Jan 21 14:56:21 host.example.org realmd[25796]: * /usr/bin/systemctl restart sssd.service Jan 21 14:56:21 host.example.org realmd[25796]: process started: 25894 Jan 21 14:56:22 host.example.org realmd[25796]: process exited: 25894 Jan 21 14:56:22 host.example.org realmd[25796]: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.se Jan 21 14:56:22 host.example.org realmd[25796]: process started: 25901 Jan 21 14:56:23 host.example.org realmd[25796]: process exited: 25901 Jan 21 14:56:23 host.example.org realmd[25796]: * Successfully enrolled machine in realm Jan 21 14:56:23 host.example.org realmd[25796]: released daemon: current-invocation Jan 21 14:56:23 host.example.org realmd[25796]: client gone away: :1.3100 Jan 21 14:56:23 host.example.org realmd[25796]: released daemon: :1.3100 Jan 21 14:57:23 host.example.org realmd[25796]: quitting realmd service after timeout Jan 21 14:57:23 host.example.org realmd[25796]: stopping service 净广告的净化输出-P状态: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: host distinguishedName: CN=host,DC=org instanceType: 4 whenCreated: 2012 whenChanged: 2016 uSNCreated: 1687590 memberOf: CN=group,OU=groups,DC=org uSNChanged: 1212121212 name: host objectGUID: x userAccountControl: 6 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 1 lastLogoff: 0 lastLogon: 1 localPolicyFlags: 0 pwdLastSet: 1 primaryGroupID: 600 objectSid: S-1-5-21 accountExpires: 9 logonCount: 1 sAMAccountName: HOST$ sAMAccountType: 8 dNSHostName: host.ad.example.org servicePrincipalName: RestrictedKrbHost/HOST servicePrincipalName: RestrictedKrbHost/host.ad.example.org servicePrincipalName: HOST/host.ad.example.org servicePrincipalName: HOST/HOST objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=org isCriticalSystemObject: FALSE dSCorePropagationData: 2 dSCorePropagationData: 3 dSCorePropagationData: 4 dSCorePropagationData: 5 dSCorePropagationData: 6 lastLogonTimestamp: 1 解决方法
你为什么用网?您应该使用samba-tool加入域
samba-tool domain join domain.example.org DC -Uadministrator --realm=domain.example.org 除了股票和其他东西之外,net不再用于samba 4了.不要乱用kerberos加密设置. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |