我安裝了一台新的 Openmediavault 4 伺服器,並將其加入到由兩個 Samba 4 網域控制站管理的 Active Directory 中。
規格:
- 活動目錄域我的廣告域由兩個 Samba 4 網域控制站管理(伺服器-z1.my.ad.domain (192.168.70.201)和伺服器-z2.my.ad.domain (192.168.70.202)
- 一台檔案伺服器Samba 版本 4.5.12-Debian運行於開放媒體庫 4.1.0-1(基於 Debian 9)
- 檔案伺服器的IP位址是192.168.70.171
- 檔案伺服器的 FQDN 是 server-f1.my.ad.domain
- 檔案伺服器有別名伺服器-f10.my.ad.domain在 DNS 中配置
- 我想使用 IP 位址從客戶端存取文件伺服器(\192.168.70.171)、FQDN(\server-f1.my.ad.domain)和 DNS 別名(\server-f10.my.ad.domain)。
我按照以下指南使用 SSSD 加入了 Openmediavaulthttps://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/getent passwd,即使在重新啟動後我也可以列出使用的網域使用者。
我遇到的問題是我可以使用 FQDN (\伺服器-f1或者\server-f1.my.ad.domain),但不使用 IP 位址(\192.168.70.171) 或 DNS 別名 (\伺服器-f10或者\server-f10.my.ad.domain)。
當我使用 IP 位址或 DNS 別名存取時,我在 Openmediavault 系統上收到以下錯誤:
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.956409, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:54 server-f1 smbd[21103]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.957928, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:54 server-f1 smbd[21103]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961733, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:54 server-f1 smbd[21103]: WARNING: The "syslog" option is deprecated
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961772, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:54 server-f1 smbd[21103]: WARNING: The "syslog only" option is deprecated
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961984, 2] ../source3/param/loadparm.c:2685(lp_do_section)
Mar 15 20:14:54 server-f1 smbd[21103]: Processing section "[homes]"
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.049955, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.050031, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081918, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081968, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110632, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110683, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112016, 0] ../source3/auth/auth_domain.c:184(domain_client_validate)
Mar 15 20:14:57 server-f1 smbd[21103]: domain_client_validate: Domain password server not available.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112060, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
Mar 15 20:14:57 server-f1 smbd[21103]: check_ntlm_password: Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112088, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
Mar 15 20:14:57 server-f1 smbd[21103]: SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.121674, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:57 server-f1 smbd[21104]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125426, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:57 server-f1 smbd[21104]: WARNING: The "syslog" option is deprecated
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125460, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:57 server-f1 smbd[21104]: WARNING: The "syslog only" option is deprecated
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125698, 2] ../source3/param/loadparm.c:2685(lp_do_section)
Mar 15 20:14:57 server-f1 smbd[21104]: Processing section "[homes]"
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197432, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197476, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227212, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227250, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257018, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257051, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466888, 0] ../source3/auth/auth_domain.c:184(domain_client_validate)
Mar 15 20:14:57 server-f1 smbd[21104]: domain_client_validate: Domain password server not available.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466920, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
Mar 15 20:14:57 server-f1 smbd[21104]: check_ntlm_password: Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466943, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
Mar 15 20:14:57 server-f1 smbd[21104]: SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:15:01 server-f1 CRON[21106]: (root) CMD (/usr/sbin/omv-mkrrdgraph >/dev/null 2>&1)
這是我的 Samba 全域設定:
[global]
workgroup = DOMAIN
server string = %h server
dns proxy = no
log level = 3
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
local master = yes
time server = no
wins support = no
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
dedicated keytab file = FILE:/etc/krb5.keytab
password server = server-z1.my.ad.domain, server-z2.my.ad.domain
realm = MY.AD.DOMAIN
security = ads
template homedir = /home/my.ad.domain/users/%U
netbios name = server-f1
netbios aliases = server-f10
請問你能幫幫我嗎?
謝謝!
答案1
雖然這是一篇舊的帖子,但我今天自己也遇到了這個問題,所以我分享我的解決方案。
將電腦加入 Active Directory 時,會為產生的電腦帳戶建立兩組 SPN,一組位於 FQDN 上,第二組位於 Netbios 名稱(也稱為伺服器名稱)上
NetBIOS 名稱限制為 15 個字元。因此,在我的例子中,伺服器名稱超過 15 個字符,因此當我將其加入網域時,為電腦帳戶產生的 SPN 從第 15 個字元開始被截斷。然而,使用 FQDN 的 SPN 是完整的 - 因此使用伺服器名稱存取共用失敗,而使用 FQDN 存取則有效。
在活動目錄中修復 SPN 對我有用,也可能對您有用(儘管不適用於 IP 位址 - 為此您需要 NTLM)
將 SPN 新增至伺服器的電腦帳戶後,您可能還需要重新啟動伺服器。
答案2
您不能使用 IP,因為 Kerberos 僅綁定到 FQDN。