Active-Directory

Samba4 網路加入成員失敗

  • September 19, 2014

我正在嘗試使用 samba4 將 RHEL6 伺服器加入域。網路廣告加入工作正常,但加入會員卻不行。實際上 wbinfo –getdcname 不像 wbinfo –dsgetdcname 那樣工作。

如果可以闡明這些命令之間的區別,那將非常有幫助。

加入在 Samba3 上成功並按預期工作,但嵌套組除外

[root@sent-test-smg2 - (11:51:01) samba]#  net join member -U smg
Enter smg's password:
Failed to join domain: failed to find DC for domain member
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain SENT
Unable to find a suitable server for domain SENT

[root@sent-test-smg2 - (11:52:29) samba]#  net ads info
LDAP server: 10.74.160.8
LDAP server name: SENTVMDC2.Sent.local
Realm: SENT.LOCAL
Bind Path: dc=SENT,dc=LOCAL
LDAP port: 389
Server time: Fri, 04 Jul 2014 11:57:49 IST
KDC server: 10.74.160.8
Server time offset: 0

[root@sent-test-smg2 - (11:57:49) samba]#  wbinfo --online-status
BUILTIN : online
SENT-TEST-SMG2 : online
SENT : offline

[root@sent-test-smg2 - (11:59:28) samba]#  wbinfo --getdcname=SENT.LOCAL
Could not get dc name for SENT.LOCAL

[root@sent-test-smg2 - (11:59:42) samba]#  wbinfo -P
checking the NETLOGON dc connection to "" failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

[root@sent-test-smg2 - (12:02:02) samba]#  wbinfo --dsgetdcname=sent.local
SENTVMDC2.Sent.local
\\10.74.160.8
1
f170eb24-d9f3-44cb-b622-02765ed83ed7
Sent.local
Sent.local
0xe00031fc
Ballycoolin
Ballycoolin

[root@sent-test-smg2 - (12:02:22) samba]#  wbinfo --getdcname=sent.local
Could not get dc name for sent.local

smb.conf:

[global]
  workgroup = SENT
  password server = *
  realm = SENT.LOCAL
  security = ads
  idmap config * : range = 10000-50000000
  winbind separator = +
  template homedir = /home/domain/%U
  template shell = /bin/bash
  winbind use default domain = true
  winbind offline logon = false
  preferred master = no
  allow trusted domains = no
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  winbind expand groups = 10000
  server string = Linux Server
  interfaces = eth0
  bind interfaces only = yes
  strict locking = no
  wins server = 192.168.0.6
  idmap cache time = 1
  idmap negative cache time = 1
  winbind cache time = 1   
  idmap config * : range = 10000-50000000
  idmap config * : backend = rid
  idmap config SENT : range = 10000-50000000
  idmap config SENT : default = yes 
  idmap config SENT : backend = rid

krb.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SENT.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
SENT.LOCAL = {
 kdc = 192.168.0.6:88
 admin_server = 192.168.0.6:749
 kdc = *
}

[domain_realm]
SENT.LOCAL = SENT.LOCAL
.SENT.LOCAL = SENT.LOCAL

sent.local = SENT.LOCAL
.sent.local = SENT.LOCAL

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

從 10 處調試的 winbind 日誌文件:

[2014/07/04 12:23:38.900108,  1, pid=12682, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
      wbint_PingDc: struct wbint_PingDc
         out: struct wbint_PingDc
             dcname                   : *
                 dcname                   : NULL
             result                   : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/07/04 12:23:38.900835, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:712(wb_request_done)
 wb_request_done[12705:PING_DC]: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
[2014/07/04 12:23:38.901001, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written)
 winbind_client_response_written[12705:PING_DC]: delivered response to client
checking the NETLOGON dc connection to "" failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)

然而後來似乎很清楚地知道 DC 在哪裡:

[2014/07/04 12:23:39.044514,  9, pid=12707, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache)
 check_negative_conn_cache returning result 0 for domain SENT.LOCAL server 10.74.160.8
[2014/07/04 12:23:39.044732,  5, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:270(ads_try_connect)
 ads_try_connect: sending CLDAP request to 10.74.160.8 (realm: SENT.LOCAL)
[2014/07/04 12:23:39.046454,  1, pid=12707, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:245(ndr_print_debug)
      &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
         command                  : LOGON_SAM_LOGON_RESPONSE_EX (23)
         sbz                      : 0x0000 (0)
         server_type              : 0x000031fc (12796)
                0: NBT_SERVER_PDC           
                1: NBT_SERVER_GC            
                1: NBT_SERVER_LDAP          
                1: NBT_SERVER_DS            
                1: NBT_SERVER_KDC           
                1: NBT_SERVER_TIMESERV      
                1: NBT_SERVER_CLOSEST       
                1: NBT_SERVER_WRITABLE      
                0: NBT_SERVER_GOOD_TIMESERV 
                0: NBT_SERVER_NDNC          
                0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
                1: NBT_SERVER_FULL_SECRET_DOMAIN_6
                1: NBT_SERVER_ADS_WEB_SERVICE
                0: NBT_SERVER_HAS_DNS_NAME  
                0: NBT_SERVER_IS_DEFAULT_NC 
                0: NBT_SERVER_FOREST_ROOT   
         domain_uuid              : f170eb24-d9f3-44cb-b622-02765ed83ed7
         forest                   : 'Sent.local'
         dns_domain               : 'Sent.local'
         pdc_dns_name             : 'SENTVMDC2.Sent.local'
         domain_name              : 'SENT'
         pdc_name                 : 'SENTVMDC2'
         user_name                : ''
         server_site              : 'Ballycoolin'
         client_site              : 'Ballycoolin'
         sockaddr_size            : 0x00 (0)
         sockaddr: struct nbt_sockaddr
             sockaddr_family          : 0x00000000 (0)
             pdc_ip                   : (null)
             remaining                : DATA_BLOB length=0
         next_closest_site        : NULL
         nt_version               : 0x00000005 (5)
                1: NETLOGON_NT_VERSION_1    
                0: NETLOGON_NT_VERSION_5    
                1: NETLOGON_NT_VERSION_5EX  
                0: NETLOGON_NT_VERSION_5EX_WITH_IP
                0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
                0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
                0: NETLOGON_NT_VERSION_PDC  
                0: NETLOGON_NT_VERSION_IP   
                0: NETLOGON_NT_VERSION_LOCAL
                0: NETLOGON_NT_VERSION_GC   
         lmnt_token               : 0xffff (65535)
         lm20_token               : 0xffff (65535)
[2014/07/04 12:23:39.049085, 10, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/sitename_cache.c:70(sitename_store)
 sitename_store: realm = [SENT], sitename = [Ballycoolin], expire = [2085923199]

對於它的價值,我只是遇到了同樣的問題,解決方案是 RHEL6 伺服器使用的 DNS 伺服器包含過時的資訊。區域中的資訊_msdcs.DOMAIN與目前設置不匹配,導致加入失敗。刷新所有 DNS 伺服器和本地 DNS 記憶體後,加入工作正常。它也可能會在 24 小時後自行解決,也就是記憶體時間。

引用自:https://serverfault.com/questions/610157