Centos
CentOS7 Kerberos Auth:Kerberos 配置文件格式不正確;
我正在
Squid 4.0為針對 Active Directory 域(Server 2012 R2)的基於組的 AD 身份驗證設置顯式代理,並在最小的 CentOS 7(64b)安裝上使用 SSL 碰撞。域加入非常粗略,
authconfig-tui但我設法將其基本配置為 AD 使用者可以通過身份驗證SSH,Squid 代理在身份驗證關閉的情況下工作。但kinit失敗:[root@tc-icap squid]# kinit kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library在為 Squid 增加調試日誌並嘗試使用加入域的客戶端進行身份驗證後,我在 Squid 中看到了這一點
cache.log:2016/03/02 11:12:56.151| Starting new negotiateauthenticator helpers... 2016/03/02 11:12:56.151| helperOpenServers: Starting 1/10 'negotiate_kerberos_auth' processes 2016/03/02 11:12:56| negotiate_kerberos_auth: ERROR: krb5_init_context: Improper format of Kerberos configuration file 2016/03/02 11:12:56| negotiate_kerberos_auth: ERROR: krb5_init_context: Improper format of Kerberos configuration file 2016/03/02 11:12:56.151| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_acquire_cred() failed: An invalid name was supplied. Improper format of Kerberos configuration file; }} 2016/03/02 11:12:56.169| 11,5| HttpRequest.cc(473) detailError: current error details: 2/0我真的找不到我的
/etc/krb5.conf文件有什麼問題。我應該如何進行?
krb5.conf:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = yes dns_lookup_kdc = yes ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = LAB.COMPANYDOMAIN.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] LAB.COMPANYDOMAIN.COM { kdc = TC-DC1.LAB.COMPANYDOMAIN.COM kdc = TC-DC2.LAB.COMPANYDOMAIN.COM admin_server = TC-DC1.LAB.COMPANYDOMAIN.COM default_domain = lab.companydomain.com } [domain_realm] .lab.companydomain.com = LAB.COMPANYDOMAIN.COM lab.companydomain.com = LAB.COMPANYDOMAIN.COM
squid.conf:# Squid 4 Explicit Proxy Configuration File # # Goals: # 1. Install Minimal CentOS 7 VM to host Squid # 2. Configure Squid for explicit proxying with the following features: # a. ICAP (Content Adaptation) integration with CA Data Protection 15.0 # b. SSL Bumping (Peek and Splice -- Most recent and flexible configuration) # c. Active Directory / LDAP Authentication and filtering rules # d. User information pass-through to ICAP Agent (for mapping policy to authenticated users) # e. Attempt content blocking / data in motion capture # 3. Test functionality of intercepting Outlook Anywhere connectivity (without breaking clients.) # 4. AD Group based access control and possibly blacklisting # 5. Integration with Windows Certificate Authority services to generate certs/key requests # 6. Kerberos / WINBIND authentication if AD/LDAP doesn't work. (kinit/keychain issues currently) # # Nice to haves: # 1. ECAP (Encrypted ICAP support.) Squid has this, ICAP Agent does not. # 2. Debug why ICAP URI's fail with DNS entries instead of IP address # 3. Test fail open / closed configurations # 4. Experiment with transparent proxying of traffic (avoid end user proxy configuration) # 5. ICAP Content Adaptation Chain (Squeeze ClamAV in before or after DataProtection agent) # 6. Automated auto-configuration deployment # 7. Inject custom web X-Headers, check if headers are available as XML Data Lookups in Data Protection # # Reminder: # 1. Check and reload configuration changes in Squid without restarting via: # squid -k check # squid -k reconfigure # Debug logging: (very noisy!) debug_options ALL,1 11,6 acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localnet src 25.0.0.0/8 # Hamachi local subnet (when installed) acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Enable Kerberos authentication, basic LDAP auth as fallback, block anonymous auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/TC-ICAP.LAB.companydomain.com@LAB.COMPANYDOMAIN.COM #??? auth_param negotiate children 10 startup=0 idle=1 auth_param negotiate keep_alive off auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=lab,dc=companydomain,dc=com" -D squidproxy@lab.companydomain.com -w Welcome1 -f (|userPrincipalName=%s)(sAMAccountName=%s)) -h tc-dc1.lab.companydomain.com auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute acl auth proxy_auth REQUIRED # Recommended minimum Access Permission configuration: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access deny !auth http_access allow auth http_access deny all http_access allow localnet http_access allow localhost # # Squid/DataProtection ACL's, ICAP Directives, Bumping cert directives # httpd_suppress_version_string on sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/squid/ssl_cert/ssl_db -M 12MB sslcrtd_children 10 acl HTTP proto HTTP always_direct allow all #ssl_bump server-first all ssl_bump stare all ssl_bump bump all sslproxy_cert_error allow all sslproxy_cert_error allow all icap_enable on icap_send_client_ip on icap_send_client_username on icap_preview_enable off icap_preview_size -1 icap_persistent_connections on #icap_client_username_encode on #icap_client_username_header X-Authenticated-User # BK - Let us try using the IP address instead of DNS entries icap_service sreq reqmod_precache icap://10.1.1.52:1344/reqmod icap_service sresp respmod_precache icap://10.1.1.52:1344/respmod adaptation_service_set aclreq sreq adaptation_service_set aclresp sresp adaptation_access aclreq allow all adaptation_access aclresp allow all # Deny requests that are not covered in above ACLs http_access deny all # The magic happens here: # Directives: ssl-bump, generate dynamic certs, point to cert, path to sslcrtd?????? http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=12MB cert=/etc/squid/ssl_cert/myCA.pem #http_port 3128 # This is the default coredump_dir /var/spool/squid # Note: Default refresh patterns below. Research these later for other protocols? refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
sssd.conf:[sssd] domains = LAB.companydomain.com config_file_version = 2 services = nss, pam [domain/LAB.companydomain.com] ad_domain = LAB.companydomain.com krb5_realm = LAB.COMPANYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad
realm list和net ads info:[root@tc-icap squid]# net ads info LDAP server: 10.1.1.20 LDAP server name: TC-DC1.LAB.companydomain.com Realm: LAB.COMPANYDOMAIN.COM Bind Path: dc=LAB,dc=COMPANYDOMAIN,dc=COM LDAP port: 389 Server time: Wed, 02 Mar 2016 11:43:10 EST KDC server: 10.1.1.20 Server time offset: 0 [root@tc-icap squid]# realm list LAB.companydomain.com type: kerberos realm-name: LAB.COMPANYDOMAIN.COM domain-name: lab.companydomain.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U login-policy: allow-realm-logins*編輯:*這是一個
strace kinit希望找到更多關於為什麼 Krb5 認為該文件無效的資訊:[root@tc-icap ~]# strace kinit execve("/usr/bin/kinit", ["kinit"], [/* 25 vars */]) = 0 brk(0) = 0x7f9c4ee5d000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db29000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=38289, ...}) = 0 mmap(NULL, 38289, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9c4db1f000 close(3) = 0 open("/lib64/libkadm5srv_mit.so.9", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20o\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=121120, ...}) = 0 mmap(NULL, 2255200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4d6e2000 mprotect(0x7f9c4d6fd000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4d8fd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b000) = 0x7f9c4d8fd000 mmap(0x7f9c4d8ff000, 39264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9c4d8ff000 close(3) = 0 open("/lib64/libkdb5.so.8", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PF\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=79128, ...}) = 0 mmap(NULL, 2172848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4d4cf000 mprotect(0x7f9c4d4e1000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4d6e0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f9c4d6e0000 close(3) = 0 open("/lib64/libgssrpc.so.4", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000[\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=134344, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db1e000 mmap(NULL, 2227080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4d2af000 mprotect(0x7f9c4d2cd000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4d4cd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x7f9c4d4cd000 close(3) = 0 open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\300\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=316528, ...}) = 0 mmap(NULL, 2406656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4d063000 mprotect(0x7f9c4d0ac000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4d2ac000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x49000) = 0x7f9c4d2ac000 close(3) = 0 open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PK\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=950496, ...}) = 0 mmap(NULL, 3033216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4cd7e000 mprotect(0x7f9c4ce53000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4d053000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd5000) = 0x7f9c4d053000 close(3) = 0 open("/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pG\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=202576, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db1d000 mmap(NULL, 2298360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4cb4c000 mprotect(0x7f9c4cb7b000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4cd7a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2e000) = 0x7f9c4cd7a000 mmap(0x7f9c4cd7d000, 504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9c4cd7d000 close(3) = 0 open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=15840, ...}) = 0 mmap(NULL, 2109928, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4c948000 mprotect(0x7f9c4c94b000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4cb4a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f9c4cb4a000 close(3) = 0 open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3406\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=62720, ...}) = 0 mmap(NULL, 2156136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4c739000 mprotect(0x7f9c4c746000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4c946000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f9c4c946000 close(3) = 0 open("/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=15688, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db1c000 mmap(NULL, 2109720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4c535000 mprotect(0x7f9c4c538000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4c737000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f9c4c737000 close(3) = 0 open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@:\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=110808, ...}) = 0 mmap(NULL, 2202264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4c31b000 mprotect(0x7f9c4c331000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4c531000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9c4c531000 mmap(0x7f9c4c533000, 6808, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9c4c533000 close(3) = 0 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240d\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=147120, ...}) = 0 mmap(NULL, 2246784, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4c0f6000 mprotect(0x7f9c4c117000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4c317000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x21000) = 0x7f9c4c317000 mmap(0x7f9c4c319000, 6272, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9c4c319000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=19520, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db1b000 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4bef2000 mprotect(0x7f9c4bef5000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4c0f4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f9c4c0f4000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \34\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2107816, ...}) = 0 mmap(NULL, 3932736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4bb31000 mprotect(0x7f9c4bce7000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4bee7000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b6000) = 0x7f9c4bee7000 mmap(0x7f9c4beed000, 16960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9c4beed000 close(3) = 0 open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240l\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=142304, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db1a000 mmap(NULL, 2208864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4b915000 mprotect(0x7f9c4b92b000, 2097152, PROT_NONE) = 0 mmap(0x7f9c4bb2b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f9c4bb2b000 mmap(0x7f9c4bb2d000, 13408, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9c4bb2d000 close(3) = 0 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=398272, ...}) = 0 mmap(NULL, 2490888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4b6b4000 mprotect(0x7f9c4b714000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4b913000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5f000) = 0x7f9c4b913000 close(3) = 0 open("/lib64/liblzma.so.5", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000/\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=153192, ...}) = 0 mmap(NULL, 2245240, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9c4b48f000 mprotect(0x7f9c4b4b3000, 2093056, PROT_NONE) = 0 mmap(0x7f9c4b6b2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x23000) = 0x7f9c4b6b2000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db19000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db18000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db16000 arch_prctl(ARCH_SET_FS, 0x7f9c4db16840) = 0 mprotect(0x7f9c4bee7000, 16384, PROT_READ) = 0 mprotect(0x7f9c4bb2b000, 4096, PROT_READ) = 0 mprotect(0x7f9c4b6b2000, 4096, PROT_READ) = 0 mprotect(0x7f9c4b913000, 4096, PROT_READ) = 0 mprotect(0x7f9c4c0f4000, 4096, PROT_READ) = 0 mprotect(0x7f9c4c317000, 4096, PROT_READ) = 0 mprotect(0x7f9c4c531000, 4096, PROT_READ) = 0 mprotect(0x7f9c4c737000, 4096, PROT_READ) = 0 mprotect(0x7f9c4c946000, 4096, PROT_READ) = 0 mprotect(0x7f9c4cb4a000, 4096, PROT_READ) = 0 mprotect(0x7f9c4cd7a000, 8192, PROT_READ) = 0 mprotect(0x7f9c4d053000, 53248, PROT_READ) = 0 mprotect(0x7f9c4d2ac000, 4096, PROT_READ) = 0 mprotect(0x7f9c4d4cd000, 4096, PROT_READ) = 0 mprotect(0x7f9c4d6e0000, 4096, PROT_READ) = 0 mprotect(0x7f9c4d8fd000, 4096, PROT_READ) = 0 mprotect(0x7f9c4dd32000, 4096, PROT_READ) = 0 mprotect(0x7f9c4db2a000, 4096, PROT_READ) = 0 munmap(0x7f9c4db1f000, 38289) = 0 set_tid_address(0x7f9c4db16b10) = 1173 set_robust_list(0x7f9c4db16b20, 24) = 0 rt_sigaction(SIGRTMIN, {0x7f9c4b91b780, [], SA_RESTORER|SA_SIGINFO, 0x7f9c4b924100}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f9c4b91b810, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9c4b924100}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 statfs("/sys/fs/selinux", 0x7ffedf4d6310) = -1 ENOENT (No such file or directory) statfs("/selinux", 0x7ffedf4d6310) = -1 ENOENT (No such file or directory) brk(0) = 0x7f9c4ee5d000 brk(0x7f9c4ee7e000) = 0x7f9c4ee7e000 open("/proc/filesystems", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db28000 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 276 stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 0x7ffedf4d61f0) = -1 ENOENT (No such file or directory) read(3, "", 1024) = 0 close(3) = 0 munmap(0x7f9c4db28000, 4096) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=106065056, ...}) = 0 mmap(NULL, 106065056, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9c44f68000 close(3) = 0 ioctl(0, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(2, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 futex(0x7f9c4c947510, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f9c4c9473b0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f9c4d061420, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f9c4d062550, FUTEX_WAKE_PRIVATE, 2147483647) = 0 stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=1003, ...}) = 0 open("/etc/krb5.conf", O_RDONLY) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=1003, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db28000 read(3, "[logging]\n default = FILE:/var/l"..., 4096) = 1003 close(3) = 0 munmap(0x7f9c4db28000, 4096) = 0 open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2502, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9c4db28000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2502 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f9c4db28000, 4096) = 0 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=410, ...}) = 0 mmap(NULL, 410, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9c4db28000 close(3) = 0 open("/usr/share/locale/en.UTF-8/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "kinit: Improper format of Kerber"..., 54kinit: Improper format of Kerberos configuration file ) = 54 write(2, "while initializing Kerberos 5 li"..., 37while initializing Kerberos 5 library) = 37 write(2, "\n", 1 ) = 1 exit_group(1) = ? +++ exited with 1 +++
經過幾個小時,許多不同的眼睛,十幾個重建和重新加入,#samba freenode 頻道和烈酒,我找到了解決方案。
事實證明,與連接關聯的任何工具都忽略了
=在引用[realm].
這個問題的後半部分是由於
sssd-libwbclient與 CentOS 7.2 中的內容髮生衝突。執行一個yum remove sssd-libwbclient固定的,以及wbinfo現在成功返回它應該是什麼。相關的 Redhat 錯誤:https ://bugzilla.redhat.com/show_bug.cgi?id=1175511
