Active-Directory
Samba4 網路加入成員失敗
我正在嘗試使用 samba4 將 RHEL6 伺服器加入域。網路廣告加入工作正常,但加入會員卻不行。實際上 wbinfo –getdcname 不像 wbinfo –dsgetdcname 那樣工作。
如果可以闡明這些命令之間的區別,那將非常有幫助。
加入在 Samba3 上成功並按預期工作,但嵌套組除外
[root@sent-test-smg2 - (11:51:01) samba]# net join member -U smg Enter smg's password: Failed to join domain: failed to find DC for domain member ADS join did not work, falling back to RPC... Unable to find a suitable server for domain SENT Unable to find a suitable server for domain SENT [root@sent-test-smg2 - (11:52:29) samba]# net ads info LDAP server: 10.74.160.8 LDAP server name: SENTVMDC2.Sent.local Realm: SENT.LOCAL Bind Path: dc=SENT,dc=LOCAL LDAP port: 389 Server time: Fri, 04 Jul 2014 11:57:49 IST KDC server: 10.74.160.8 Server time offset: 0 [root@sent-test-smg2 - (11:57:49) samba]# wbinfo --online-status BUILTIN : online SENT-TEST-SMG2 : online SENT : offline [root@sent-test-smg2 - (11:59:28) samba]# wbinfo --getdcname=SENT.LOCAL Could not get dc name for SENT.LOCAL [root@sent-test-smg2 - (11:59:42) samba]# wbinfo -P checking the NETLOGON dc connection to "" failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) [root@sent-test-smg2 - (12:02:02) samba]# wbinfo --dsgetdcname=sent.local SENTVMDC2.Sent.local \\10.74.160.8 1 f170eb24-d9f3-44cb-b622-02765ed83ed7 Sent.local Sent.local 0xe00031fc Ballycoolin Ballycoolin [root@sent-test-smg2 - (12:02:22) samba]# wbinfo --getdcname=sent.local Could not get dc name for sent.local
smb.conf:
[global] workgroup = SENT password server = * realm = SENT.LOCAL security = ads idmap config * : range = 10000-50000000 winbind separator = + template homedir = /home/domain/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false preferred master = no allow trusted domains = no winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind expand groups = 10000 server string = Linux Server interfaces = eth0 bind interfaces only = yes strict locking = no wins server = 192.168.0.6 idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1 idmap config * : range = 10000-50000000 idmap config * : backend = rid idmap config SENT : range = 10000-50000000 idmap config SENT : default = yes idmap config SENT : backend = rid
krb.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SENT.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] SENT.LOCAL = { kdc = 192.168.0.6:88 admin_server = 192.168.0.6:749 kdc = * } [domain_realm] SENT.LOCAL = SENT.LOCAL .SENT.LOCAL = SENT.LOCAL sent.local = SENT.LOCAL .sent.local = SENT.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
從 10 處調試的 winbind 日誌文件:
[2014/07/04 12:23:38.900108, 1, pid=12682, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug) wbint_PingDc: struct wbint_PingDc out: struct wbint_PingDc dcname : * dcname : NULL result : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND [2014/07/04 12:23:38.900835, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:712(wb_request_done) wb_request_done[12705:PING_DC]: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND [2014/07/04 12:23:38.901001, 10, pid=12682, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[12705:PING_DC]: delivered response to client checking the NETLOGON dc connection to "" failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
然而後來似乎很清楚地知道 DC 在哪裡:
[2014/07/04 12:23:39.044514, 9, pid=12707, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache) check_negative_conn_cache returning result 0 for domain SENT.LOCAL server 10.74.160.8 [2014/07/04 12:23:39.044732, 5, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:270(ads_try_connect) ads_try_connect: sending CLDAP request to 10.74.160.8 (realm: SENT.LOCAL) [2014/07/04 12:23:39.046454, 1, pid=12707, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:245(ndr_print_debug) &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x000031fc (12796) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : f170eb24-d9f3-44cb-b622-02765ed83ed7 forest : 'Sent.local' dns_domain : 'Sent.local' pdc_dns_name : 'SENTVMDC2.Sent.local' domain_name : 'SENT' pdc_name : 'SENTVMDC2' user_name : '' server_site : 'Ballycoolin' client_site : 'Ballycoolin' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) [2014/07/04 12:23:39.049085, 10, pid=12707, effective(0, 0), real(0, 0)] ../source3/libads/sitename_cache.c:70(sitename_store) sitename_store: realm = [SENT], sitename = [Ballycoolin], expire = [2085923199]
對於它的價值,我只是遇到了同樣的問題,解決方案是 RHEL6 伺服器使用的 DNS 伺服器包含過時的資訊。區域中的資訊
_msdcs.DOMAIN
與目前設置不匹配,導致加入失敗。刷新所有 DNS 伺服器和本地 DNS 記憶體後,加入工作正常。它也可能會在 24 小時後自行解決,也就是記憶體時間。