我在
Samba AD DC HOWTO之后在ubuntu 14.04上设置了一个samba 4活动目录.原则上一切都运行良好,但我仍然坚持使用SPN为Web应用程序运行kerberos身份验证.
当我试图跑
@H_404_40@当我试图跑
kinit -k -t keytabfile http/myserver.mycompany.com
我总是得到一个
kinit: Client not found in Kerberos database while getting initial credentials
到目前为止我已经检查过的内容:
> DNS正在向前和向后返回FQN
> kinit使用用户名
> nsserver和webserver上的nslookup返回了myserver.mycompany.com
> myserver allready已加入域名并列入
CN =电脑,DC = myCompany中,DC = COM
>没有公开的SPN
我创建了服务帐户/ SPNs / keytabs,如下所示:
samba-tool user create $ADS_USER $ADS_PW --userou=$USER_OU samba-tool user setexpiry --noexpiry $ADS_USER samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} $ADS_USER samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST} $ADS_USER samba-tool spn list $ADS_USER rm -f $MY_KEYTAB samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}
跑步的时候
klist -k -e $MY_KEYTAB
一切都很好:
root@myhost:~# klist -ke ./test.keytab Keytab name: FILE:./test.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-crc) 1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-md5) 1 http/myserver.mycompany.com@MYCOMPANY.COM (arcfour-hmac) 1 http/myserver@MYCOMPANY.COM (des-cbc-crc) 1 http/myserver@MYCOMPANY.COM (des-cbc-md5) 1 http/myserver@MYCOMPANY.COM (arcfour-hmac)
我迷路了,在谷歌研究了几个小时,不知道如何解决/修复“Kerberos数据库中找不到客户端”错误.任何提示都是受欢迎的!
谢谢
我在客户端上的“/etc/krb5.conf”
[libdefaults] debug = true default_realm = MYCOMPANY.COM dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] MYCOMPANY.COM = { kdc = dc01.mycompany.com admin_server = dc01.mycompany.com kpasswd_server = dc01.mycompany.com #ktpasswd_server = dc01.mycompany.com #admin_server = dc01.mycompany.com } [domain_realm] .mycompany.com = MYCOMPANY.COM mycompany.com = MYCOMPANY.COM
在dc服务器/etc/samba/smb.conf上
[global] debug level = 1 syslog = 1 max log size = 0 workgroup = MYCOMPANY realm = MYCOMPANY.COM netbios name = DC01 server role = active directory domain controller server string = MYCOMPANY domain controller server role check:inhibit = yes dns forwarder = 192.168.22.1 idmap_ldb:use rfc2307 = yes