Centos
為什麼 sssd 會打破加入 AD 的 CentOS 的 PTR 記錄
我有一個加入 AD 域的 CENTOS 7 框 - 稱之為
centosbox
。每當 SSSD 啟動時,它都會更新 DNS 記錄,這對我來說很好,除了它通過使 PTR 記錄指向 just
centosbox.
而不是 來破壞 PTR 記錄centosbox.my.domain.ext.
,這會破壞大量與 kerberos 相關的東西,因為反向 DNS 已經破壞。此框中主機名的輸出為:
#hostname -f centosbox.my.domain.ext
我怎樣才能讓它為 PTR 記錄註冊正確的值?
sssd.conf:
[sssd] domains = my.domain.ext config_file_version = 2 services = nss, pam, sudo [domain/my.domain.ext] ad_domain = my.domain.ext krb5_realm = MY.DOMAIN.EXT realmd_tags = joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad sudo_provider = ldap ldap_uri = ldap://my.domain.ext ldap_tls_cacert = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt ldap_group_search_base = DC=my,DC=domain,DC=ext ldap_sudo_search_base = OU=sudoers,DC=my,DC=domain,DC=ext ldap_sasl_mech = GSSAPI ldap_sasl_authid = CENTOSBOX$@MY.DOMAIN.EXT [sudo]
krb5.conf:
includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = true default_ccache_name = KEYRING:persistent:%{uid} default_realm = MY.DOMAIN.EXT [realms] MY.DOMAIN.EXT = { } [domain_realm] my.domain.ext = MY.DOMAIN.EXT .my.domain.ext = MY.DOMAIN.EXT
附加資訊:
sssd ldap_child.log 文件包含大量內容:
(Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2245]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database (Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2246]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database (Mon Jun 18 21:01:40 2018) [[sssd[ldap_child[2247]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database (Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2256]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database (Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2257]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database (Mon Jun 18 21:02:51 2018) [[sssd[ldap_child[2258]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/centosbox.my.domain.ext@MY.DOMAIN.EXT' not found in Kerberos database
好的,這是公然錯誤的,因為:
[root@centosbox sssd]#klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 centosbox$@MY.DOMAIN.EXT (arcfour-hmac) 4 centosbox$@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96) 4 centosbox$@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96) 4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (arcfour-hmac) 4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96) 4 host/centosbox.my.domain.ext@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96) 4 host/centosbox@MY.DOMAIN.EXT (arcfour-hmac) 4 host/centosbox@MY.DOMAIN.EXT (aes128-cts-hmac-sha1-96) 4 host/centosbox@MY.DOMAIN.EXT (aes256-cts-hmac-sha1-96)
這是怎麼回事?
我懷疑您遇到了要求 FQDN 設置主機名的 redhat 建議:https ://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-configure_host_names
SSSD 似乎需要從沒有 -f 標誌的主機名函式返回 FQDN。