一次Winbind登录故障记录
缘起
现有十多台已加入Windows Server活动目录的CentOS6主机,无法使用域账号登录,只能使用本机系统登录。
该集群主机运行服务正常,网络服务正常。
思路
- 长时间无域账号登录导致的脱域;
- Samba版本升级引起的配置文件错误(丢失或配置项变更)。
排错
使用root账号登录重新加域
# 清空缓存 net cache flush rm -f /var/lib/samba/*.tdb # 重新加域 net ads join -U administrator@DOMAIN.com
加域之后无法登录,id username 无法拉取最近用户
# AD连接测试失败 [root@server ~]# wbinfo -t checking the trust secret for domain EXAMPLE via RPC calls failed wbcCheckTrustCredentials(EXAMPLE): error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret [root@server ~]# wbinfo -P checking the NETLOGON for domain[EXAMPLE] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUN [root@server ~]# wbinfo --verbose -i DOMAIN+username failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user DOMAIN+username
修改配置文件,同步域账号
# There are BUILTIN domains on an AD server and the default "*" 'tdb' backend and range are needed to map the users not included in the other mapped domains. Not having this backend still causes a mapping error even if the user being mapped is not included in that range. [root@server ~]# vim /etc/samba/smb.conf …… idmap config * : backend = tdb idmap config DOMAIN:default = yes …… [root@server ~]# service winbind restart # 配置完成之后测试 [root@server ~]# wbinfo -t checking the trust secret for domain FIRSTSHARE via RPC calls succeeded [root@server ~]# wbinfo -p Ping to winbindd succeeded
参考:
连接之后断开
# 经检查 /etc/log/secure 出现如下日志,可以排除sshd.conf配置项目,并将怀疑目标集中到pam模块 Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.28.0.41 user=sujx Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_krb5[46730]: authentication fails for 'sujx' (sujx@domain.com): Authentication failure (KDC reply did not match expectations) Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_winbind(sshd:auth): getting password (0x00000210) Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_winbind(sshd:auth): pam_get_item returned a password Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_winbind(sshd:auth): user 'sujx' granted access Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_krb5[46730]: account checks fail for 'sujx': unknown reason -1765328237 (KDC reply did not match expectations) Feb 15 18:09:48 vlnx101025 sshd[46730]: pam_winbind(sshd:account): user 'sujx' granted access Feb 15 18:09:48 vlnx101025 sshd[46731]: fatal: Access denied for user sujx by PAM account configuration Feb 15 18:09:48 vlnx101025 sshd[46730]: Failed password for sujx from 172.28.0.41 port 9366 ssh2 # 检查 /etc/pam.d/system-auth 无误 # 检查 /etc/security/pam_winbind.conf 无误 # 检查 /etc/sysconfig/authconfig 无误 # 重新查看日志,从“KDC reply did not match expectations”入手 # 错误重现 [root@server ~]# kinit sujx KDC reply did not match expectations # 可正常登录 [root@server ~]# kinit sujx@DOMAIN.COM [root@vlnx101025 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: sujx@DOMAIN.COM # 重新检查SAMBA配置文件 [root@server ~]# vim /etc/samba/smb.conf …… # 将realm选项由小写改为大写 # realm = domain.com realm = DOMAIN.COM …… [root@server ~]# service winbind restart # 然后可正常登录
完工
CentOS7+SSSD比CentOS6+Winbind稳定多了,这么多机器极少出现上述无法登录的情况。
All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.