Estou configurando uma nova rede com uma máquina Windows 2012 executando o AD DS. Eu tenho vários Ubuntu 14.04 eu quero entrar no domínio para autenticação. Eu consegui fazê-lo em um desses servidores usando realmd, sssd e adcli isso foi bastante simples.
No entanto, em pelo menos dois outros servidores, não consigo fazer com que a mesma configuração funcione. A grande diferença entre os dois é que eles residem em uma sub-rede diferente. Eu verifiquei: - roteamento - DNS - desativou todas as regras de firewall no firewall e no DC.
Eu posso lançar um kinit com sucesso, mas ao aderir a adcli ele não pode entrar em contato com um KDC.
Espero que vocês possam apontar minha falha.
Atenciosamente
root @ lb02: ~ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:ea:a5:b6 brd ff:ff:ff:ff:ff:ff
inet ***.***.***.**/** brd ***.***.***.*** scope global net
valid_lft forever preferred_lft forever
inet6 ....
3: www: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:70:11:86 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global www
valid_lft forever preferred_lft forever
inet6 ....
root @ lb02: ~ # cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = ACME.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = trye
[realms]
ACME.COM = {
kdc = ad01.acme.com
admin_server = ad01.acme.com
default_domain = ACME.COM
}
[domain_realm]
.acme.com = ACME.COM
acme.com = ACME.COM
root @ lb02: ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/08/2015 16:19:55 07/09/2015 02:19:55 krbtgt/[email protected]
renew until 07/09/2015 16:19:52
root @ lb02: ~ # dig -t SRV _kerberos._tcp.acme.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._tcp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.acme.com. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.acme.com. 600 IN SRV 0 100 88 ad01.acme.com.
;; ADDITIONAL SECTION:
ad01.acme.com. 3600 IN A 10.2.4.1
;; Query time: 2 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:24:43 CEST 2015
;; MSG SIZE rcvd: 107
root @ lb02: ~ # dig -t SRV _kerberos._udp.acme.com
; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._udp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.acme.com. IN SRV
;; ANSWER SECTION:
_kerberos._udp.acme.com. 600 IN SRV 0 100 88 ad01.acme.com.
;; ADDITIONAL SECTION:
ad01.acme.com. 3600 IN A 10.2.4.1
;; Query time: 1 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:46:25 CEST 2015
;; MSG SIZE rcvd: 107
root @ lb02: ~ # ping-c4 ad01.acme.com
PING ad01.acme.com (10.2.4.1) 56(84) bytes of data.
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=1 ttl=127 time=0.651 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=2 ttl=127 time=0.620 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=3 ttl=127 time=0.721 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=4 ttl=127 time=0.750 ms
--- ad01.acme.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.620/0.685/0.750/0.058 ms
C: \ Usuários \ Administrador > ping lb02
Pinging lb02.acme.com [10.2.1.2] with 32 bytes of data:
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Ping statistics for 10.2.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
kvanhagen @ lb02: ~ $ telnet ad01.acme.com 88
Trying 10.2.4.1...
Connected to ad01.acme.com.
root @ lb02: ~ # reino --membership-software = adcli descubra acme.com
acme.com
type: kerberos
realm-name: ACME.COM
domain-name: acme.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
root @ lb02: ~ # # realm --verbose join acme.com
* Resolving: _ldap._tcp.acme.com
* Performing LDAP DSE lookup on: 10.2.4.1
* Successfully discovered: acme.com
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain acme.com --domain-realm ACME.COM --domain-controller 10.2.4.1 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-MCBF1X
* Using domain name: acme.com
* Calculated computer account name from fqdn: LB02
* Using domain realm: acme.com
* Sending netlogon pings to domain controller: cldap://10.2.4.1
* Received NetLogon info from: ad01.acme.com
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-v7Y0Pg/krb5.d/adcli-krb5-conf-eJg20h
* Looked up short domain name: ACME
* Using fully qualified name: lb02
* Using domain name: acme.com
* Using computer account name: LB02
* Using domain realm: acme.com
* Calculated computer account name from fqdn: LB02
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Using fully qualified name: lb02
* Using domain name: acme.com
* Using computer account name: LB02
* Using domain realm: acme.com
* Looked up short domain name: ACME
* Found computer account for LB02$ at: CN=LB02,CN=Computers,DC=acme,DC=com
! Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
adcli: joining domain acme.com failed: Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain