iT邦幫忙

0

samba無法成功整合windows 2003 AD

目前在進行linux與windows的異質平台整合,看過了許多設定範例,但還是依然無法使用samba與windows AD來整合:

  1. 使用net join -U admin加入網域時,使用ads是失敗的,但rpc是成功的,訊息如下:
    Failed to join domain: Operations error
    ADS join did not work, falling back to RPC...
    Joined domain TEST.
  2. 使用wbinfo -u同樣失敗,訊息為:
    Error looking up domain users
    LOG中的訊息為:
    ads_connect for domain TEST failed: Operations error
  3. 但我使用kinit是能成功通過驗證的:
    ldap@TEST.COM.TW (另一個問題是:TEST.COM.TW一定要是大寫嗎?即使我在krb5.conf中[domain_realm]有設定為小寫也不行?)

使用的版本:
CentOS 5.5
samba-common-3.0.33-3.29.el5_5.1
samba-client-3.0.33-3.29.el5_5.1
samba-3.0.33-3.29.el5_5.1
krb5-libs-1.6.1-36.el5_5.6
krb5-server-1.6.1-36.el5_5.6
krb5-workstation-1.6.1-36.el5_5.6

相關設定檔如下:
=================smb.conf
[root@localhost samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = TEST
realm = TEST.COM.TW
netbios name = SAMBA
server string = Samba Server Version %v
security = ADS
password server = ad.test.com.tw
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind cache time = 0
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
註:我的需求僅是linux能功透過windows AD來驗證而已,故不需homedir與shell
================= krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = test.com.tw
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
TEST.COM.TW = {
kdc = ad.test.com.tw
admin_server = ad.test.com.tw
default_domain = test.com.tw
}

[domain_realm]
.test.com.tw = TEST.COM.TW
test.com.tw = TEST.COM.TW

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

1 個回答

4
raytracy
iT邦大神 1 級 ‧ 2010-12-24 14:13:13

我的 krb5.conf 是這樣寫:

<pre class="c" name="code">[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LAB.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 LAB.LOCAL = {
  kdc = 192.168.15.51:88
  admin_server = 192.168.15.51:749
  default_domain = LAB.LOCAL
 }

[domain_realm]
 .lab.local = LAB.LOCAL
 lab.local = LAB.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

先前 realm 裡面用 FQDN 失敗, 但我沒有時間去查 DNS 的問題, 後來直接改用 IP.
但是我根本沒有 /var/kerberos/krb5kdc/kdc.conf 這個檔案, 所以等於沒有作用.
smb.conf 則比您多了一個:

<pre class="c" name="code">encrypt passwords = yes

以上方式可以在 2003 環境使用, samba 3.0.10~3.0.33 皆可...

alvinshih iT邦新手 4 級 ‧ 2010-12-24 14:38:37 檢舉

FQDN失敗的原因,應該是該dns沒有支授kdc server query。
我也有設定hosts,所以應該是沒有問題的。剛才為了保險起見,我還是測試了一下:
[realms]
TEST.COM.TW = {
kdc = 192.168.0.1:88
admin_server = 192.168.0.1:749
default_domain = TEST.COM.TW
}
結果依然失敗。

註:encrypt passwords = yes,我已經有加入了,只是testparm出來的結果未加入,原因不明。

我要發表回答

立即登入回答