NFS4 + Kerberos 自 5.10 核心起不起作用

自從我更新到 Debian Bullseye，nfs 客戶端停止工作：

# mount -vvt nfs4 -o sec=krb5 nfs11:/srv /mnt
mount.nfs4: timeout set for Wed Sep 15 20:25:49 2021
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=x.y.11.63,clientaddr=x.y.11.42'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs11:/srv

當我在同一系統上安裝 5.9 核心（linux-image-5.9.0-0.bpo.5-cloud-amd64）時 - 它可以工作。

我也試過：

• Debian 測試核心（核心 5.14） - 不起作用
• Ubuntu 21.10 Impish（核心 5.13）- 不工作
• Ubuntu 20.04 Focal（核心 5.4）- 有效

如果所有系統都具有相同的 NFS/Kerberos 設置，我的結論是：核心中發生了一些變化，不允許掛載 NFS/Kerberos 共享。

• 我的 KDC - Samba4 AD
• 我的 Kerberos 和 NFS 設置是非常標準的，就像在任何方法中一樣
• HOSTNAME$@REALM nfs/fqdn@REALM host/… 原則在客戶端和伺服器鍵選項卡中有

我放入RPCGSSDOPTS="-vvv"/etc/default/nfs-common 進行調試。在以下日誌中：

• nfs11 - 我的測試 nfs 伺服器（Debian 11，核心 5.10）
• tst2 - 我的測試 nfs 客戶端（Debian 11）

這是客戶端嘗試掛載 nfs 共享時的系統日誌：

使用 5.9 核心啟動的 nfs 客戶端（安裝成功）

rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2' (nfs/clnt0)
rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[446]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[446]: gssd_get_single_krb5_cred: principal 'tst2$@MY.DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN'
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: creating tcp client for server nfs11.my.domain
rpc.gssd[446]: DEBUG: port already set to 2049
rpc.gssd[446]: creating context with server nfs@nfs11.my.domain
rpc.gssd[446]: doing downcall: lifetime_rec=36000 acceptor=nfs@nfs11.my.domain
rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2' (nfs/clnt0)
rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[446]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: creating tcp client for server nfs11.my.domain
rpc.gssd[446]: DEBUG: port already set to 2049
rpc.gssd[446]: creating context with server nfs@nfs11.my.domain
rpc.gssd[446]: doing downcall: lifetime_rec=36000 acceptor=nfs@nfs11.my.domain
nfsidmap[524]: key: 0x3b88d120 type: uid value: root@my.domain timeout 600
nfsidmap[524]: nfs4_name_to_uid: calling nsswitch->name_to_uid
nfsidmap[524]: nss_getpwnam: name 'root@my.domain' domain 'my.domain': resulting localname 'root'
nfsidmap[524]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
nfsidmap[524]: nfs4_name_to_uid: final return value is 0
nfsidmap[525]: key: 0x317cb571 type: gid value: root@my.domain timeout 600
nfsidmap[525]: nfs4_name_to_gid: calling nsswitch->name_to_gid
nfsidmap[525]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
nfsidmap[525]: nfs4_name_to_gid: final return value is 0

使用 5.10 核心啟動的 nfs 客戶端（不掛載）

rpc.gssd[450]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,3,1,2' (nfs/clnt3)
rpc.gssd[450]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[450]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[450]: gssd_get_single_krb5_cred: principal 'tst2$@MY.DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN'
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nfs11.my.domain
rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[450]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: ERROR: Failed to create machine krb5 context with any credentials cache for server nfs11.my.domain
rpc.gssd[450]: doing error downcall

我用Google搜尋了很多，沒有找到任何相關的東西……目前作為一種解決方法，我在所有 nfs 客戶端系統中執行以前版本的反向移植核心。但我認為它很危險，而且有些東西告訴我它隨時可能破裂。

有沒有人遇到過這樣的問題？也許我應該調整一些東西以匹配核心的變化？也許我應該填補核心錯誤？

更新。添加了 KDC 日誌。

使用 5.9 核心從客戶端掛載時 KDC - 成功

[2021/09/21 21:55:12.061264,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
 stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2021/09/21 21:55:44.743415,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:38701 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/21 21:55:44.747105,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client sent patypes: 150, 149
[2021/09/21 21:55:44.747154,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.747178,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.747209,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: No preauth found, returning PREAUTH-REQUIRED -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.751030,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:50506 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/21 21:55:44.753959,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2021/09/21 21:55:44.754060,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.754114,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.754187,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: ENC-TS Pre-authentication succeeded -- tst2$@MY.DOMAIN using arcfour-hmac-md5
[2021/09/21 21:55:44.754275,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
 Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[tst2$@MY.DOMAIN] at [Tue, 21 Sep 2021 21:55:44.754261 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:50506] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6619]. local host [NULL] 
 {"timestamp": "2021-09-21T21:55:44.754359+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "dd24014b273cc7a8", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:50506", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "tst2$@MY.DOMAIN", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6619", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3366}}
[2021/09/21 21:55:44.761108,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: AS-REQ authtime: 2021-09-21T21:55:44 starttime: unset endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44
[2021/09/21 21:55:44.761282,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
[2021/09/21 21:55:44.761368,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Requested flags: renewable-ok, forwardable
[2021/09/21 21:55:44.767382,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:39570 for nfs/nfs11.my.domain@MY.DOMAIN [canonicalize, renewable, forwardable]
[2021/09/21 21:55:44.773999,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: TGS-REQ authtime: 2021-09-21T21:55:44 starttime: 2021-09-21T21:55:44 endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44
[2021/09/21 21:55:44.774695,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
 stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

使用 5.10 核心從客戶端掛載時 KDC - 掛載失敗

[2021/09/22 00:31:39.893723,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:46094 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/22 00:31:39.899112,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client sent patypes: 150, 149
[2021/09/22 00:31:39.899162,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.899186,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.899221,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: No preauth found, returning PREAUTH-REQUIRED -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.901942,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:39303 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/22 00:31:39.905030,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2021/09/22 00:31:39.905080,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.905105,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.905171,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: ENC-TS Pre-authentication succeeded -- tst2$@MY.DOMAIN using arcfour-hmac-md5
[2021/09/22 00:31:39.905270,  3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
 Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[tst2$@MY.DOMAIN] at [Wed, 22 Sep 2021 00:31:39.905248 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:39303] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6621]. local host [NULL] 
 {"timestamp": "2021-09-22T00:31:39.905331+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "8511280d720bd92c", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:39303", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "tst2$@MY.DOMAIN", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6621", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3429}}
[2021/09/22 00:31:39.912509,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: AS-REQ authtime: 2021-09-22T00:31:39 starttime: unset endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39
[2021/09/22 00:31:39.912597,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
[2021/09/22 00:31:39.912663,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Requested flags: renewable-ok, forwardable
[2021/09/22 00:31:39.918313,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:59850 for nfs/nfs11.my.domain@MY.DOMAIN [canonicalize, renewable, forwardable]
[2021/09/22 00:31:39.924869,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: TGS-REQ authtime: 2021-09-22T00:31:39 starttime: 2021-09-22T00:31:39 endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39
[2021/09/22 00:31:39.925340,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
 stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2021/09/22 00:31:39.928319,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:59852 for nfs/nfs11.my.domain@MY.DOMAIN [renewable, forwardable]
[2021/09/22 00:31:39.930936,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Server (nfs/nfs11.my.domain@MY.DOMAIN) has no support for etypes
[2021/09/22 00:31:39.930998,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Failed building TGS-REP to ipv4:x.y.11.42:59852
[2021/09/22 00:31:39.931336,  3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
 stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

我看到Server (nfs/nfs11.my.domain@MY.DOMAIN) has no support for etypes錯誤。Google發現一個與舊 enctypes 相關的舊問題，沒有任何用處。所有軟體包都是最新的。

感謝評論，我取得了一些進展。我安裝了新的 Samba DC，將客戶端（5.10 核心）和伺服器都加入了新的 KDC - 它工作正常！新的 KDC 允許具有任何核心的 NFS 客戶端掛載共享。似乎問題出在我的生產 Samba DC 中。我查看了 ldap 數據庫，看起來它們很相似，除了在新的 dc 上添加了很少的內容，比如 3 個新對象和一些欄位。目前我不知道我應該在生產 DC 中進行哪些調整以使其表現得像新的一樣。重新安裝將是最後的手段，因為它需要很多時間。

生產 DC 是很久以前創建的，並且使用標準 samba 複製或備份進行了多次遷移。生產和新鮮的 DC 資訊：

• oEInformation：由 SAMBA 4.1.6-Ubuntu 提供
• oEInformation：由 SAMBA 4.13.5-Debian 提供

目前，DC 在相同的 Debian 作業系統下執行。

更新 2. 解決了！

請參閱下面的解決方案。

在我的情況下，解決方案如下：我嘗試使生產 DC 上的 LDAP DB 看起來像新 DC（正在工作）上的 LDAP DB。所以我改變了一些領域。重新啟動一切。它奏效了！

我到底改變了什麼。

dn: DC=my,DC=domain我使用添加/更改了對像中的以下欄位ldbedit -H /var/lib/samba/private/sam.ldb：

msDS-Behavior-Version: 4
msDS-NcType: 0
serverState: 1

生產 DC 過去已重命名，但我在以下對像中發現了剩菜（舊名稱）：

dn: CN=<old-name>,CN=*,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain

我通過用 重命名它們來解決這個問題ldbrename，例如：

ldbrename -H /var/lib/samba/private/sam.ldb 'CN=<old-name>,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain' 'CN=<actual-name>,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain'

也許並非所有這些更改都是必要的，但它現在有效。謝謝您的意見！

Linux 在 5.10 中從 Kerberos 中刪除了對 RC4-HMAC-MD5 的支持。您的客戶端使用該加密類型，可以在伺服器的日誌輸出中看到：

[2021/09/21 21:55:44.761282,  3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
 Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5

如果 AES 類型可用，Samba 應該選擇 aes256-cts-hmac-sha1-96。

它不在您的任何日誌中，但我猜失敗的 TGS-REQ 要求提供 des3-cbc-sha1、aes128-cts-hmac-sha1-96、aes256-cts-hmac-sha1-96。這可以通過使用參數啟動 rpc.gssd 來驗證-vvvrr。在這種情況下，客戶的 AD 帳戶沒有啟用所需的加密類型。如果客戶端在 Samba 不支持 AES 時加入域，則會發生這種情況。您可以通過重置客戶端的 AD 帳戶密碼或重新加入域來啟用加密類型。您還需要確保將加密類型添加到客戶端的密鑰表中。這可以驗證klist -ke在客戶端上執行。

如果您使用特定的服務主體，請確保將加密類型顯式添加到客戶端的帳戶（在 ADC 執行上net ads enctypes set <ACCOUNTNAME> 24）。否則只會導出 ARCFOUR 類型。

引用自：https://serverfault.com/questions/1077670