- 论坛徽章:
- 0
|
最近在做freeradius+windows Active Directory ,在实验过程中遇到了几个问题,请各位大侠们指点以下
已知环境:系统大环境为fc6,samba安装采用yum install ,版本为Version 3.0.23c-2. Active Directory 为windows server 2003
standard edition ,ip地址为192.168.0.93, 域名为HIZILIN.COM .已知Active Directory中有帐号xiaoqiang ,密码:pass#word3
问题情况:在fc6大环境下安装的samba移植到一个经过裁剪的小系统上,出现了下列错误。
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而这种配置在fc6大环境下去可以通过验证 。我的操作步骤、配置文件及log日志如下,请各位大侠们帮忙分析一下。
步骤如下:
[root#] kinit Administrator@HIZILIN.COM
Password for Administrator@HIZILIN.COM:
[root#]/usr/kerberos/bin/klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@HIZILIN.COM
Valid starting Expires Service principal
04/17/09 10:52:49 04/17/09 20:52:59 krbtgt/HIZILIN.COM@HIZILIN.COM
renew until 04/18/09 10:52:49
[root#]net ads join -U Administrator%tao123456789
[2009/04/17 11:09:31, 0] utils/net_ads.c:ads_startup(281)
ads_connect: Operations error
[root#]net rpc join -U Administrator%tao123456789
Joined domain HIZILIN.
[root#]smbclient -L HIZILIN.COM -U xiaoqiang%pass#word3
Domain=[HIZILIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]
Sharename Type Comment
--------- ---- -------
IPC$ IPC NETLOGON Disk Logon server share
ADMIN$ Disk SYSVOL Disk Logon server share
C$ Disk session request to HIZILIN.COM failed (Called name not present)
session request to HIZILIN failed (Called name not present)
Domain=[HIZILIN] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]
Server Comment
--------- -------
2K3SERVER
CHINA SSSSSS
LOCALHOST Linux Samba
Workgroup Master
--------- -------
HIZILIN 2K3SERVER
MSHOME GAO
WORKGROUP JUJUMAO
[root#]wbinfo -t
checking the trust secret via RPC calls succeeded
[root#]wbinfo -g
Error looking up domain groups
[root#]wbinfo -u
Error looking up domain users
[root#]wbinfo -D HIZILIN.COM
Name : HIZILIN
Alt_Name : HIZILIN.COM
SID : S-1-5-21-2458468695-833675311-4109839019
Active Directory : Yes
Native : No
Primary : Yes
Sequence : -1
[root#]wbinfo -a xiaoqiang%pass#word3
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user xiaoqiang%pass#word3 with plaintext password
challenge/response password authentication succeeded
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
[root#]ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
配置文件如下:
[root#]grep -v "^;" /etc/samba/smb.conf |grep -v "^#"|grep -v "^$"
[global]
workgroup = HIZILIN
server string = SSSSSS
security = ads
username map = /etc/samba/smbusers
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
realm = HIZILIN.COM
wins server = 192.168.0.93
dns proxy = no
[root#]grep -v "^;" /etc/krb5.conf |grep -v "^#"|grep -v "^$"
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HIZILIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.hizilin.com = HIZILIN.COM
hizilin.com = HIZILIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
HIZILIN.COM = {
kdc = HIZILIN.COM:88
}
[root#]grep -v "^;" /etc/nsswitch.conf |grep -v "^#"|grep -v "^$"
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
[root#]hostname
china
[root#]cat /etc/hosts
127.0.0.1 china
::1 china
192.168.0.93 HIZILIN.COM
[root#]cat /etc/resolv.conf
search china
nameserver 192.168.0.93
nameserver 218.56.57.58
samba相关log
[root#]cat smbd.log
[2009/04/17 10:47:28, 0] smbd/server.c:main(847)
smbd version 3.0.23c-2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
[2009/04/17 10:47:28, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 10:47:28, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 10:47:28, 0] printing/nt_printing.c:nt_printing_init(649)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2009/04/17 11:08:25, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:08:25, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[2009/04/17 11:23:33, 0] printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
[root#]cat nmbd.log
[2009/04/17 10:47:31, 0] nmbd/nmbd.c:main(700)
Netbios nameserver version 3.0.23c-2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
[2009/04/17 10:53:17, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*****
Samba name server CHINA is now a local master browser for workgroup HIZILIN on subnet 192.168.0.82
*****
[root#]cat winbindd.log
[2009/04/17 10:54:17, 1] nsswitch/winbindd.c:main(953)
winbindd version 3.0.23c-2 started.
Copyright The Samba Team 2000-2004
[2009/04/17 10:54:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
winbindd: idmap uid range missing or invalid
[2009/04/17 10:54:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(78
winbindd: cannot continue, exiting.
[2009/04/17 10:54:17, 1] nsswitch/winbindd.c:main(986)
Could not init idmap -- netlogon proxy only
[2009/04/17 10:54:17, 0] lib/pidfile.c:pidfile_create(93)
ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 6721 is running.
[2009/04/17 11:10:50, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
[root#]cat log.wb-HIZILIN
[2009/04/17 10:57:41, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:02:56, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:18:09, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:23:15, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
[2009/04/17 11:28:33, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
请各位大侠们给分析一下,哪里出错了。尤其是在两个ntlm_auth命令中为什么用--password=pass 就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而用--password=pass#word3时就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)呢? |
|