Junte-se ao Ubuntu 14.04 LTS com o Active Directory usando o domínio, sssd e adcli

1

Estou configurando uma nova rede com uma máquina Windows 2012 executando o AD DS. Eu tenho vários Ubuntu 14.04 eu quero entrar no domínio para autenticação. Eu consegui fazê-lo em um desses servidores usando realmd, sssd e adcli isso foi bastante simples.

No entanto, em pelo menos dois outros servidores, não consigo fazer com que a mesma configuração funcione. A grande diferença entre os dois é que eles residem em uma sub-rede diferente. Eu verifiquei: - roteamento - DNS - desativou todas as regras de firewall no firewall e no DC.

Eu posso lançar um kinit com sucesso, mas ao aderir a adcli ele não pode entrar em contato com um KDC.

Espero que vocês possam apontar minha falha.

Atenciosamente

root @ lb02: ~ # ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:ea:a5:b6 brd ff:ff:ff:ff:ff:ff
inet ***.***.***.**/** brd ***.***.***.*** scope global net
   valid_lft forever preferred_lft forever
inet6 ....
3: www: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:70:11:86 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global www
   valid_lft forever preferred_lft forever
inet6 ....

root @ lb02: ~ # cat /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5.log

[libdefaults]
default_realm = ACME.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = trye

[realms]
ACME.COM = {
        kdc = ad01.acme.com
        admin_server = ad01.acme.com
        default_domain = ACME.COM
}

[domain_realm]
.acme.com = ACME.COM
acme.com = ACME.COM

root @ lb02: ~ # klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/08/2015 16:19:55  07/09/2015 02:19:55  krbtgt/[email protected]
        renew until 07/09/2015 16:19:52

root @ lb02: ~ # dig -t SRV _kerberos._tcp.acme.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._tcp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.acme.com.    IN      SRV

;; ANSWER SECTION:
_kerberos._tcp.acme.com. 600 IN      SRV     0 100 88 ad01.acme.com.

;; ADDITIONAL SECTION:
ad01.acme.com.       3600    IN      A       10.2.4.1

;; Query time: 2 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:24:43 CEST 2015
;; MSG SIZE  rcvd: 107

root @ lb02: ~ # dig -t SRV _kerberos._udp.acme.com

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV _kerberos._udp.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.acme.com.    IN      SRV

;; ANSWER SECTION:
_kerberos._udp.acme.com. 600 IN      SRV     0 100 88 ad01.acme.com.

;; ADDITIONAL SECTION:
ad01.acme.com.       3600    IN      A       10.2.4.1

;; Query time: 1 msec
;; SERVER: 10.2.4.1#53(10.2.4.1)
;; WHEN: Wed Jul 08 16:46:25 CEST 2015
;; MSG SIZE  rcvd: 107

root @ lb02: ~ # ping-c4 ad01.acme.com

PING ad01.acme.com (10.2.4.1) 56(84) bytes of data.
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=1 ttl=127 time=0.651 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=2 ttl=127 time=0.620 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=3 ttl=127 time=0.721 ms
64 bytes from ad01.acme.com (10.2.4.1): icmp_seq=4 ttl=127 time=0.750 ms

--- ad01.acme.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.620/0.685/0.750/0.058 ms

C: \ Usuários \ Administrador > ping lb02

Pinging lb02.acme.com [10.2.1.2] with 32 bytes of data:
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63
Reply from 10.2.1.2: bytes=32 time<1ms TTL=63

Ping statistics for 10.2.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

kvanhagen @ lb02: ~ $ telnet ad01.acme.com 88

Trying 10.2.4.1...
Connected to ad01.acme.com.

root @ lb02: ~ # reino --membership-software = adcli descubra acme.com

acme.com
  type: kerberos
  realm-name: ACME.COM
  domain-name: acme.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

root @ lb02: ~ # # realm --verbose join acme.com

 * Resolving: _ldap._tcp.acme.com
 * Performing LDAP DSE lookup on: 10.2.4.1
 * Successfully discovered: acme.com
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain acme.com --domain-realm ACME.COM --domain-controller 10.2.4.1 --login-type user --login-ccache=/var/cache/realmd/realm-ad-kerberos-MCBF1X
 * Using domain name: acme.com
 * Calculated computer account name from fqdn: LB02
 * Using domain realm: acme.com
 * Sending netlogon pings to domain controller: cldap://10.2.4.1
 * Received NetLogon info from: ad01.acme.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-v7Y0Pg/krb5.d/adcli-krb5-conf-eJg20h
 * Looked up short domain name: ACME
 * Using fully qualified name: lb02
 * Using domain name: acme.com
 * Using computer account name: LB02
 * Using domain realm: acme.com
 * Calculated computer account name from fqdn: LB02
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: lb02
 * Using domain name: acme.com
 * Using computer account name: LB02
 * Using domain realm: acme.com
 * Looked up short domain name: ACME
 * Found computer account for LB02$ at: CN=LB02,CN=Computers,DC=acme,DC=com
 ! Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
adcli: joining domain acme.com failed: Couldn't set password for computer account: LB02$: Cannot contact any KDC for requested realm
 ! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain
    
por KvH 08.07.2015 / 17:27

0 respostas