主页 / server / 问题 / 761808
Accepted
Mirrana
Asked: 2016-03-06 06:34:21 +0800 CST

尝试使用 Centos 7 加入 AD 域时访问被拒绝

  • 772

我已经尝试了几天以使这些说明起作用,但尽管如此,我还是无法加入我的域。

当我执行realm discover时,我可以很好地看到我的域:

[root@centos5 ~]# realm discover home.domain.com
home.domain.com
  type: kerberos
  realm-name: HOME.domain.COM
  domain-name: home.domain.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
[root@centos5 ~]#

但是当我尝试加入它时,在被要求输入密码后,我得到以下信息:

[root@centos5 ~]# realm join -U user home.domain.com
Password for user:
See: journalctl REALMD_OPERATION=r158905.22733
realm: Couldn't join realm: Joining the domain home.domain.com failed
[root@centos5 ~]#

journalctl 显示以下内容:

Mar 05 10:37:47 centos5.home.domain.com dbus[731]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper)
Mar 05 10:37:47 centos5.home.domain.com dbus-daemon[731]: dbus[731]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper)
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Loaded settings from: /usr/lib64/realmd/realmd-defaults.conf /usr/lib64/realmd/realmd-distro.conf
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: holding daemon: startup
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: starting service
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: connected to bus
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: released daemon: startup
Mar 05 10:37:47 centos5.home.domain.com dbus[731]: [system] Successfully activated service 'org.freedesktop.realmd'
Mar 05 10:37:47 centos5.home.domain.com dbus-daemon[731]: dbus[731]: [system] Successfully activated service 'org.freedesktop.realmd'
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: claimed name on bus: org.freedesktop.realmd
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: client using service: :1.112
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: holding daemon: :1.112
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Using 'r158905.22733' operation for method 'Discover' invocation on 'org.freedesktop.realmd.Provider' interface
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Registered cancellable for operation 'r158905.22733'
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]:  * Resolving: _ldap._tcp.home.domain.com
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]:  * Resolving: _ldap._tcp.home.domain.com
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]:  * Performing LDAP DSE lookup on: 192.168.2.6
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]:  * Performing LDAP DSE lookup on: 192.168.2.6
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Searching  for (objectClass=*)
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Got defaultNamingContext: DC=home,DC=domain,DC=com
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Sending TCP Netlogon request
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]: Received TCP Netlogon response
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]:  * Successfully discovered: home.domain.com
Mar 05 10:37:47 centos5.home.domain.com realmd[22736]:  * Successfully discovered: home.domain.com
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: Using 'r158905.22733' operation for method 'Join' invocation on 'org.freedesktop.realmd.KerberosMembership' interface
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: Registered cancellable for operation 'r158905.22733'
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: holding daemon: current-invocation
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7OYXDY -U user ads join home.domain.com
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7OYXDY -U user ads join home.domain.com
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: process started: 22742
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: Could not initialise message context. Try running as root
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: Could not initialise message context. Try running as root
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: Failed to join domain: Access is denied
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: Failed to join domain: Access is denied
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: process exited: 22742
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]:  ! Joining the domain home.domain.com failed
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]:  ! Joining the domain home.domain.com failed
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: released daemon: current-invocation
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: client gone away: :1.112
Mar 05 10:37:49 centos5.home.domain.com realmd[22736]: released daemon: :1.112

让我对日志消息感到困惑的是它说无法初始化消息上下文。尝试以 root 身份运行。我不知道这是否有任何意义,但我绝对是以 root 身份运行的。

另一件令人困惑的事情是拒绝访问消息。在尝试加入域时,我 100% 确定我拥有正确的用户名和密码。

为了完整起见,我尝试按照在我的 Centos 6 虚拟机上正常工作的相同说明进行操作,并且在运行时也出现错误authconfig

[root@centos5 ~]# authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=HOME --smbrealm=HOME.DOMAIN.COM --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/HOME.ABO PU.COM/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=HOME.DOMAIN.COM --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
Job for winbind.service failed because the control process exited with error code. See "systemctl status winbind.service" and "journalctl -xe" for details.
[root@centos5 ~]#

而且,我在 journalctl 中得到以下信息:

Mar 05 10:47:54 centos5.home.domain.com yum[22762]: Updated: krb5-libs-1.13.2-10.el7.x86_64
Mar 05 10:47:55 centos5.home.domain.com yum[22762]: Installed: pam_krb5-2.4.8-4.el7.x86_64
Mar 05 10:47:57 centos5.home.domain.com yum[22762]: Installed: krb5-workstation-1.13.2-10.el7.x86_64
Mar 05 10:47:58 centos5.home.domain.com yum[22762]: Updated: authconfig-6.2.8-10.el7.x86_64
Mar 05 10:48:13 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22831:15953076 (system bus name :1.116 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:13 centos5.home.domain.com systemd[1]: Reloading.
Mar 05 10:48:13 centos5.home.domain.com systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Mar 05 10:48:13 centos5.home.domain.com systemd[1]: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Mar 05 10:48:13 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22831:15953076 (system bus name :1.116, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:14 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22849:15953158 (system bus name :1.117 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:14 centos5.home.domain.com systemd[1]: Stopped Samba Winbind Daemon.
Mar 05 10:48:14 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22849:15953158 (system bus name :1.117, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:14 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22854:15953171 (system bus name :1.118 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:15 centos5.home.domain.com systemd[1]: Starting Samba Winbind Daemon...
Mar 05 10:48:16 centos5.home.domain.com winbindd[22861]: [2016/03/05 10:48:16.221209,  0] ../source3/winbindd/winbindd_cache.c:3235(initialize_winbindd_cache)
Mar 05 10:48:16 centos5.home.domain.com winbindd[22861]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Mar 05 10:48:16 centos5.home.domain.com winbindd[22861]: [2016/03/05 10:48:16.564406,  0] ../source3/winbindd/winbindd_util.c:736(init_domain_list)
Mar 05 10:48:16 centos5.home.domain.com winbindd[22861]:   Could not fetch our SID - did we join?
Mar 05 10:48:16 centos5.home.domain.com winbindd[22861]: [2016/03/05 10:48:16.564586,  0] ../source3/winbindd/winbindd.c:1294(winbindd_register_handlers)
Mar 05 10:48:16 centos5.home.domain.com winbindd[22861]:   unable to initialize domain list
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: winbind.service: main process exited, code=exited, status=1/FAILURE
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: Failed to start Samba Winbind Daemon.
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: Unit winbind.service entered failed state.
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: winbind.service failed.
Mar 05 10:48:16 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22854:15953171 (system bus name :1.118, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:16 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22864:15953418 (system bus name :1.119 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: Reloading.
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Mar 05 10:48:16 centos5.home.domain.com systemd[1]: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Mar 05 10:48:16 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22864:15953418 (system bus name :1.119, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22882:15953455 (system bus name :1.120 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:17 centos5.home.domain.com systemd[1]: Stopped privileged operations for unprivileged applications.
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22882:15953455 (system bus name :1.120, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22887:15953465 (system bus name :1.121 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:17 centos5.home.domain.com systemd[1]: Started privileged operations for unprivileged applications.
Mar 05 10:48:17 centos5.home.domain.com systemd[1]: Starting privileged operations for unprivileged applications...
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22887:15953465 (system bus name :1.121, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22901:15953526 (system bus name :1.123 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:17 centos5.home.domain.com systemd[1]: Stopped System Security Services Daemon.
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22901:15953526 (system bus name :1.123, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:17 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22907:15953544 (system bus name :1.124 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:17 centos5.home.domain.com systemd[1]: Reloading.
Mar 05 10:48:18 centos5.home.domain.com systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Mar 05 10:48:18 centos5.home.domain.com systemd[1]: Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway.
Mar 05 10:48:18 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22907:15953544 (system bus name :1.124, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 05 10:48:18 centos5.home.domain.com polkitd[856]: Registered Authentication Agent for unix-process:22925:15953582 (system bus name :1.125 [/usr/bin/pkttyagent --notify-fd 47 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 05 10:48:18 centos5.home.domain.com polkitd[856]: Unregistered Authentication Agent for unix-process:22925:15953582 (system bus name :1.125, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

这可能是什么原因造成的?

active-directory

2 个回答

  1. Best Answer

    我遇到了这个问题,并且(经过数小时的调查)能够通过使用 yum 升级我的软件包来解决它。IE

    yum upgrade

    • 1

  2. 特工 154。

    我相信您必须事先在用户具有完全访问权限的 AD 容器中创建机器帐户(计算机帐户)(即提供给命令“领域加入”的用户)。

    希望能帮助到你。

    • 0

相关问题