论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2009-04-17 11:52 |只看该作者 |倒序浏览

最近在做freeradius+windows Active Directory ，在实验过程中遇到了几个问题，请各位大侠们指点以下
已知环境：系统大环境为fc6，samba安装采用yum install ，版本为Version 3.0.23c-2. Active Directory 为windows server 2003

standard edition ，ip地址为192.168.0.93, 域名为HIZILIN.COM .已知Active Directory中有帐号xiaoqiang ,密码：pass#word3

问题情况：在fc6大环境下安装的samba移植到一个经过裁剪的小系统上，出现了下列错误。
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而这种配置在fc6大环境下去可以通过验证。我的操作步骤、配置文件及log日志如下，请各位大侠们帮忙分析一下。
步骤如下：
[root#] kinit Administrator@HIZILIN.COM
Password for Administrator@HIZILIN.COM:
[root#]/usr/kerberos/bin/klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@HIZILIN.COM

Valid starting    Expires          Service principal
04/17/09 10:52:49  04/17/09 20:52:59  krbtgt/HIZILIN.COM@HIZILIN.COM
      renew until 04/18/09 10:52:49
[root#]net ads join -U Administrator%tao123456789
[2009/04/17 11:09:31, 0] utils/net_ads.c:ads_startup(281)
  ads_connect: Operations error

[root#]net rpc join -U Administrator%tao123456789
Joined domain HIZILIN.

[root#]smbclient -L HIZILIN.COM -U xiaoqiang%pass#word3
Domain=[HIZILIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

      Sharename    Type    Comment
      ---------    ----    -------
      IPC$          IPC          NETLOGON       Disk    Logon server share
      ADMIN$       Disk          SYSVOL       Disk    Logon server share
      C$             Disk    session request to HIZILIN.COM failed (Called name not present)
session request to HIZILIN failed (Called name not present)
Domain=[HIZILIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

      Server             Comment
      ---------          -------
      2K3SERVER
      CHINA             SSSSSS
      LOCALHOST          Linux Samba

      Workgroup          Master
      ---------          -------
      HIZILIN             2K3SERVER
      MSHOME             GAO
      WORKGROUP          JUJUMAO

[root#]wbinfo -t
checking the trust secret via RPC calls succeeded

[root#]wbinfo -g
Error looking up domain groups

[root#]wbinfo -u
Error looking up domain users

[root#]wbinfo -D HIZILIN.COM
Name             : HIZILIN
Alt_Name       : HIZILIN.COM
SID             : S-1-5-21-2458468695-833675311-4109839019
Active Directory  : Yes
Native          : No
Primary          : Yes
Sequence       : -1

[root#]wbinfo -a xiaoqiang%pass#word3
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user xiaoqiang%pass#word3 with plaintext password
challenge/response password authentication succeeded

[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

配置文件如下：
[root#]grep -v "^;" /etc/samba/smb.conf |grep -v "^#"|grep -v "^$"
[global]
workgroup = HIZILIN
server string = SSSSSS
security = ads
username map = /etc/samba/smbusers
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
realm = HIZILIN.COM
wins server = 192.168.0.93
dns proxy = no

[root#]grep -v "^;" /etc/krb5.conf |grep -v "^#"|grep -v "^$"
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HIZILIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.hizilin.com = HIZILIN.COM
hizilin.com = HIZILIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[realms]
HIZILIN.COM = {
kdc = HIZILIN.COM:88
}

[root#]grep -v "^;" /etc/nsswitch.conf |grep -v "^#"|grep -v "^$"
passwd:    files winbind
shadow:    files winbind
group:    files winbind
hosts:    files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:    files
netmasks: files
networks: files
protocols:  files winbind
rpc:       files
services: files winbind
netgroup: files winbind
publickey:  nisplus
automount:  files winbind
aliases: files nisplus

[root#]hostname
china

[root#]cat /etc/hosts
127.0.0.1 china
::1 china
192.168.0.93 HIZILIN.COM

[root#]cat /etc/resolv.conf
search china
nameserver 192.168.0.93
nameserver 218.56.57.58

samba相关log
[root#]cat smbd.log
[2009/04/17 10:47:28, 0] smbd/server.c:main(847)
  smbd version 3.0.23c-2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2009/04/17 10:47:28, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 10:47:28, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 10:47:28, 0] printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2009/04/17 11:08:25, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:08:25, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused

[root#]cat nmbd.log
[2009/04/17 10:47:31, 0] nmbd/nmbd.c:main(700)
  Netbios nameserver version 3.0.23c-2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2009/04/17 10:53:17, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
  *****

  Samba name server CHINA is now a local master browser for workgroup HIZILIN on subnet 192.168.0.82

  *****
[root#]cat winbindd.log
[2009/04/17 10:54:17, 1] nsswitch/winbindd.c:main(953)
  winbindd version 3.0.23c-2 started.
  Copyright The Samba Team 2000-2004
[2009/04/17 10:54:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
  winbindd: idmap uid range missing or invalid
[2009/04/17 10:54:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(78

  winbindd: cannot continue, exiting.
[2009/04/17 10:54:17, 1] nsswitch/winbindd.c:main(986)
  Could not init idmap -- netlogon proxy only
[2009/04/17 10:54:17, 0] lib/pidfile.c:pidfile_create(93)
  ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 6721 is running.
[2009/04/17 11:10:50, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error

[root#]cat log.wb-HIZILIN
[2009/04/17 10:57:41, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:02:56, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:18:09, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:23:15, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:28:33, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error

请各位大侠们给分析一下，哪里出错了。尤其是在两个ntlm_auth命令中为什么用--password=pass 就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而用--password=pass#word3时就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)呢？