Kerberos CLIENT_NOT_FOUND 从 WinXP 登录到 Ubuntu16.04 Samba 域
Kerberos CLIENT_NOT_FOUND while logon from WinXP to Ubuntu16.04 Samba Domain
由于 Samba 同时完全能够充当 Active Directory 的替代品,我计划为学校网络设置它(使用旧的 XP 和 Win7 客户端)。我从 Ubuntu 16.04 LTS 存储库安装了所有软件包。
设置服务器运行良好,但通过 WinXP 加入域后,我无法登录:"username or domain not found"。
/var/log/auth.log
Mar 26 14:41:39 server krb5kdc[967]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.103: CLIENT_NOT_FOUND: chrglo@FSG for krbtgt/FSG@FSG, Client not found in Kerberos database
Mar 26 14:41:39 server krb5kdc[967]: DISPATCH: repeated (retransmitted?) request from 192.168.0.103, resending previous response
但帐户 chrglo 存在于 Kerberos 中:
fsgadmin@server:~$ kinit chrglo
Password for chrglo@FSG.LAN:
fsgadmin@server:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: chrglo@FSG.LAN
Valid starting Expires Service principal
26.03.2018 14:43:42 27.03.2018 00:43:42 krbtgt/FSG.LAN@FSG.LAN
renew until 27.03.2018 14:43:39`
我尝试了几个 (!) google 结果来处理各种(但不完全相同的)此类问题。但是 none 帮助了他们。
这是我的 Kerberos 配置:
/etc/krb5.conf
[libdefaults]
default_realm = FSG.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
FSG.LAN = {
kdc = server.fsg:88
admin_server = server.fsg:749
default_domain = FSG
}
[domain_realm]
.fsg.lan = FSG.LAN
fsg.lan = FSG.LAN
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
和我的 Samba 配置:
/etc/samba/smb.conf
[global]
workgroup = FSG
realm = FSG.LAN
netbios name = SERVER
server role = active directory domain controller
dns forwarder = 192.168.0.254
idmap_ldb:use rfc2307 = yes
这是 XP 客户端的一些屏幕截图(顺便说一句,VirtualBox 中的服务器和客户端 运行):客户端已添加到域并提供使用它登录,但在(之前注意到)之后停止错误信息。
Client joined the domain
Client at domain logon screen
Error after logon try
有人知道我在哪里搞砸了配置吗?
格洛克
/编辑:为了提供更多信息:DHCP 是通过外部部件完成的。
/etc/hosts
127.0.0.1 localhost localhost.fsg
192.168.0.250 server.fsg server
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/EDIT2:请求 ipconfig / ifconfig:
ipconfig /all on xp client
在服务器上:
fsgadmin@server:~$ ifconfig
enp0s3 Link encap:Ethernet Hardware Adresse 08:00:27:ef:bc:56
inet Adresse:192.168.0.250 Bcast:192.168.0.255 Maske:255.255.255.0
inet6-Adresse: fe80::a00:27ff:feef:bc56/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:154 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:82 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:18341 (18.3 KB) TX-Bytes:11263 (11.2 KB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1
RX-Bytes:52072 (52.0 KB) TX-Bytes:52072 (52.0 KB)
此外:当客户端加入域时,服务器上发生了一些auth.log(我在加入时使用了Samba内置管理员帐户信息):
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
另外,内容被记录到 samba/log.samba
[2018/04/10 16:13:45.999444, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: Traceback (most recent call last):
[2018/04/10 16:13:46.002791, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 621, in <module>
[2018/04/10 16:13:46.006441, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: get_credentials(lp)
[2018/04/10 16:13:46.006826, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
[2018/04/10 16:13:46.006930, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: raise e
[2018/04/10 16:13:46.007037, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for SERVER$@FSG.LAN failed (Cannot contact any KDC for requested realm)
[2018/04/10 16:13:46.007099, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate:
[2018/04/10 16:13:46.021901, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_ACCESS_DENIED
问题已解决:samba 提供了自己的 kerberos 管理服务器 - 无需自行安装 :S
由于 Samba 同时完全能够充当 Active Directory 的替代品,我计划为学校网络设置它(使用旧的 XP 和 Win7 客户端)。我从 Ubuntu 16.04 LTS 存储库安装了所有软件包。
设置服务器运行良好,但通过 WinXP 加入域后,我无法登录:"username or domain not found"。
/var/log/auth.log
Mar 26 14:41:39 server krb5kdc[967]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.103: CLIENT_NOT_FOUND: chrglo@FSG for krbtgt/FSG@FSG, Client not found in Kerberos database
Mar 26 14:41:39 server krb5kdc[967]: DISPATCH: repeated (retransmitted?) request from 192.168.0.103, resending previous response
但帐户 chrglo 存在于 Kerberos 中:
fsgadmin@server:~$ kinit chrglo
Password for chrglo@FSG.LAN:
fsgadmin@server:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: chrglo@FSG.LAN
Valid starting Expires Service principal
26.03.2018 14:43:42 27.03.2018 00:43:42 krbtgt/FSG.LAN@FSG.LAN
renew until 27.03.2018 14:43:39`
我尝试了几个 (!) google 结果来处理各种(但不完全相同的)此类问题。但是 none 帮助了他们。
这是我的 Kerberos 配置:
/etc/krb5.conf
[libdefaults]
default_realm = FSG.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
FSG.LAN = {
kdc = server.fsg:88
admin_server = server.fsg:749
default_domain = FSG
}
[domain_realm]
.fsg.lan = FSG.LAN
fsg.lan = FSG.LAN
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
和我的 Samba 配置:
/etc/samba/smb.conf
[global]
workgroup = FSG
realm = FSG.LAN
netbios name = SERVER
server role = active directory domain controller
dns forwarder = 192.168.0.254
idmap_ldb:use rfc2307 = yes
这是 XP 客户端的一些屏幕截图(顺便说一句,VirtualBox 中的服务器和客户端 运行):客户端已添加到域并提供使用它登录,但在(之前注意到)之后停止错误信息。
Client joined the domain
Client at domain logon screen
Error after logon try
有人知道我在哪里搞砸了配置吗?
格洛克
/编辑:为了提供更多信息:DHCP 是通过外部部件完成的。
/etc/hosts
127.0.0.1 localhost localhost.fsg
192.168.0.250 server.fsg server
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/EDIT2:请求 ipconfig / ifconfig:
ipconfig /all on xp client
在服务器上:
fsgadmin@server:~$ ifconfig
enp0s3 Link encap:Ethernet Hardware Adresse 08:00:27:ef:bc:56
inet Adresse:192.168.0.250 Bcast:192.168.0.255 Maske:255.255.255.0
inet6-Adresse: fe80::a00:27ff:feef:bc56/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:154 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:82 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX-Bytes:18341 (18.3 KB) TX-Bytes:11263 (11.2 KB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
TX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Träger:0
Kollisionen:0 Sendewarteschlangenlänge:1
RX-Bytes:52072 (52.0 KB) TX-Bytes:52072 (52.0 KB)
此外:当客户端加入域时,服务器上发生了一些auth.log(我在加入时使用了Samba内置管理员帐户信息):
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
另外,内容被记录到 samba/log.samba
[2018/04/10 16:13:45.999444, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: Traceback (most recent call last):
[2018/04/10 16:13:46.002791, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 621, in <module>
[2018/04/10 16:13:46.006441, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: get_credentials(lp)
[2018/04/10 16:13:46.006826, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
[2018/04/10 16:13:46.006930, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: raise e
[2018/04/10 16:13:46.007037, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for SERVER$@FSG.LAN failed (Cannot contact any KDC for requested realm)
[2018/04/10 16:13:46.007099, 0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate:
[2018/04/10 16:13:46.021901, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_ACCESS_DENIED
问题已解决:samba 提供了自己的 kerberos 管理服务器 - 无需自行安装 :S