免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 4235 | 回复: 3
打印 上一主题 下一主题

freeradius+Active Directory时ntlm_auth出现问题 [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2009-04-17 11:52 |只看该作者 |倒序浏览
最近在做freeradius+windows Active Directory ,在实验过程中遇到了几个问题,请各位大侠们指点以下
已知环境:系统大环境为fc6,samba安装采用yum install ,版本为Version 3.0.23c-2. Active Directory 为windows server 2003

standard edition ,ip地址为192.168.0.93, 域名为HIZILIN.COM .已知Active Directory中有帐号xiaoqiang ,密码:pass#word3

问题情况:在fc6大环境下安装的samba移植到一个经过裁剪的小系统上,出现了下列错误。
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass      
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而这种配置在fc6大环境下去可以通过验证 。我的操作步骤、配置文件及log日志如下,请各位大侠们帮忙分析一下。
步骤如下:
[root#] kinit Administrator@HIZILIN.COM
Password for Administrator@HIZILIN.COM:
[root#]/usr/kerberos/bin/klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@HIZILIN.COM

Valid starting     Expires            Service principal
04/17/09 10:52:49  04/17/09 20:52:59  krbtgt/HIZILIN.COM@HIZILIN.COM
        renew until 04/18/09 10:52:49
[root#]net ads join -U Administrator%tao123456789
[2009/04/17 11:09:31, 0] utils/net_ads.c:ads_startup(281)
  ads_connect: Operations error

[root#]net rpc join -U Administrator%tao123456789
Joined domain HIZILIN.


[root#]smbclient -L HIZILIN.COM -U xiaoqiang%pass#word3
Domain=[HIZILIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC             NETLOGON        Disk      Logon server share
        ADMIN$          Disk            SYSVOL          Disk      Logon server share
        C$              Disk      session request to HIZILIN.COM failed (Called name not present)
session request to HIZILIN failed (Called name not present)
Domain=[HIZILIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

        Server               Comment
        ---------            -------
        2K3SERVER            
        CHINA                SSSSSS
        LOCALHOST            Linux Samba

        Workgroup            Master
        ---------            -------
        HIZILIN              2K3SERVER
        MSHOME               GAO
        WORKGROUP            JUJUMAO

[root#]wbinfo -t
checking the trust secret via RPC calls succeeded

[root#]wbinfo -g
Error looking up domain groups

[root#]wbinfo -u
Error looking up domain users

[root#]wbinfo -D HIZILIN.COM
Name              : HIZILIN
Alt_Name          : HIZILIN.COM
SID               : S-1-5-21-2458468695-833675311-4109839019
Active Directory  : Yes
Native            : No
Primary           : Yes
Sequence          : -1

[root#]wbinfo -a xiaoqiang%pass#word3
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user xiaoqiang%pass#word3 with plaintext password
challenge/response password authentication succeeded

[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass      
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

配置文件如下:
[root#]grep -v "^;" /etc/samba/smb.conf |grep -v "^#"|grep -v "^$"
[global]
workgroup = HIZILIN
   server string = SSSSSS
   security = ads
username map = /etc/samba/smbusers
cups options = raw
   log file = /var/log/samba/%m.log
   max log size = 50
realm = HIZILIN.COM
   wins server = 192.168.0.93
   dns proxy = no

[root#]grep -v "^;" /etc/krb5.conf |grep -v "^#"|grep -v "^$"     
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HIZILIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.hizilin.com = HIZILIN.COM
hizilin.com = HIZILIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
   
[realms]
HIZILIN.COM = {
kdc = HIZILIN.COM:88
}

[root#]grep -v "^;" /etc/nsswitch.conf |grep -v "^#"|grep -v "^$"
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

[root#]hostname
china

[root#]cat /etc/hosts
127.0.0.1 china
::1 china
192.168.0.93 HIZILIN.COM

[root#]cat /etc/resolv.conf
search china
nameserver 192.168.0.93
nameserver 218.56.57.58

samba相关log
[root#]cat smbd.log
[2009/04/17 10:47:28, 0] smbd/server.c:main(847)
  smbd version 3.0.23c-2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2009/04/17 10:47:28, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 10:47:28, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 10:47:28, 0] printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2009/04/17 11:08:25, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:08:25, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused

[root#]cat nmbd.log
[2009/04/17 10:47:31, 0] nmbd/nmbd.c:main(700)
  Netbios nameserver version 3.0.23c-2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2009/04/17 10:53:17, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
  *****
  
  Samba name server CHINA is now a local master browser for workgroup HIZILIN on subnet 192.168.0.82
  
  *****
[root#]cat winbindd.log
[2009/04/17 10:54:17, 1] nsswitch/winbindd.c:main(953)
  winbindd version 3.0.23c-2 started.
  Copyright The Samba Team 2000-2004
[2009/04/17 10:54:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
  winbindd: idmap uid range missing or invalid
[2009/04/17 10:54:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(78
  winbindd: cannot continue, exiting.
[2009/04/17 10:54:17, 1] nsswitch/winbindd.c:main(986)
  Could not init idmap -- netlogon proxy only
[2009/04/17 10:54:17, 0] lib/pidfile.c:pidfile_create(93)
  ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 6721 is running.
[2009/04/17 11:10:50, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error

[root#]cat log.wb-HIZILIN
[2009/04/17 10:57:41, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:02:56, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:18:09, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:23:15, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:28:33, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error

请各位大侠们给分析一下,哪里出错了。尤其是在两个ntlm_auth命令中为什么用--password=pass 就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而用--password=pass#word3时就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)呢?

论坛徽章:
0
2 [报告]
发表于 2009-04-17 12:15 |只看该作者

回复 #1 hiziqin 的帖子

使用freeradius 又使用2003的active Directory ?
还是只使用其中的一个

论坛徽章:
0
3 [报告]
发表于 2009-04-17 12:48 |只看该作者
两个组合使用。2003 Active Directory中存放用户帐号,radius将终端用户的用户名和密码与Active Directory 中帐号比较,进行认证。

论坛徽章:
0
4 [报告]
发表于 2009-04-20 13:28 |只看该作者
怎么没人回复啊!继续寻求问题的解决方式!
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP