stackoom
  简体   繁体   中英

Kerberos CLIENT_NOT_FOUND while logon from WinXP to Ubuntu16.04 Samba Domain

 原文  2018-03-26 13:06:19       active-directory/ windows-xp/ kerberos/ samba/ ubuntu-server

Question

since Samba is meanwhile fully able to act as Active Directory replacement, I plan to setup it for a school network (using old XP and Win7 clients). I installed all my packages from the Ubuntu 16.04 LTS repos.

Setting up the server worked pretty well, but after joining the domain via WinXP, I cannot loggon: "username or domain not found".

/var/log/auth.log 

Mar 26 14:41:39 server krb5kdc[967]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.103: CLIENT_NOT_FOUND: chrglo@FSG for krbtgt/FSG@FSG, Client not found in Kerberos database
Mar 26 14:41:39 server krb5kdc[967]: DISPATCH: repeated (retransmitted?) request from 192.168.0.103, resending previous response

But the account chrglo exists within Kerberos: 

fsgadmin@server:~$ kinit chrglo
Password for chrglo@FSG.LAN:
fsgadmin@server:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: chrglo@FSG.LAN
Valid starting       Expires              Service principal
26.03.2018 14:43:42  27.03.2018 00:43:42  krbtgt/FSG.LAN@FSG.LAN
renew until 27.03.2018 14:43:39`

I tried several(!) google results dealing with various (but not identical) issues of that kind. But none of them helped.

Here's my Kerberos configuration:

/etc/krb5.conf 

[libdefaults]
    default_realm = FSG.LAN
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    FSG.LAN = {
            kdc = server.fsg:88
            admin_server = server.fsg:749
            default_domain = FSG
    }

[domain_realm]
    .fsg.lan = FSG.LAN
    fsg.lan = FSG.LAN

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

and my Samba configuration:

/etc/samba/smb.conf 

[global]
    workgroup = FSG
    realm = FSG.LAN
    netbios name = SERVER
    server role = active directory domain controller
    dns forwarder = 192.168.0.254
    idmap_ldb:use rfc2307 = yes

Here's some screenshots from the XP client (btw both server and client running within a VirtualBox): the client was added to the domain and offers to logon using it, but stops after the (previously noticed) error message.

Client joined the domain

Client at domain logon screen

Error after logon try

Has anyone an idea where I screwed up the configuration?

Glocke

/EDIT: for the sake of providing more information: DHCP is done via an external piece.

/etc/hosts 

127.0.0.1   localhost localhost.fsg

192.168.0.250   server.fsg server

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/EDIT2: requested ipconfig / ifconfig:

ipconfig /all on xp client

on Server: 

fsgadmin@server:~$ ifconfig
enp0s3    Link encap:Ethernet  Hardware Adresse 08:00:27:ef:bc:56  
      inet Adresse:192.168.0.250  Bcast:192.168.0.255  Maske:255.255.255.0
      inet6-Adresse: fe80::a00:27ff:feef:bc56/64 Gültigkeitsbereich:Verbindung
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
      RX-Pakete:154 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
      TX-Pakete:82 Fehler:0 Verloren:0 Überläufe:0 Träger:0
      Kollisionen:0 Sendewarteschlangenlänge:1000 
      RX-Bytes:18341 (18.3 KB)  TX-Bytes:11263 (11.2 KB)

lo        Link encap:Lokale Schleife  
      inet Adresse:127.0.0.1  Maske:255.0.0.0
      inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
      UP LOOPBACK RUNNING  MTU:65536  Metrik:1
      RX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
      TX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Träger:0
      Kollisionen:0 Sendewarteschlangenlänge:1 
      RX-Bytes:52072 (52.0 KB)  TX-Bytes:52072 (52.0 KB)

Furthermore : While the client joins the domain, some auth.log is happening on the server (I used the Samba builtin Administrator account information while joining): 

Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response

Also, stuff is logged to samba/log.samba 

[2018/04/10 16:13:45.999444,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
[2018/04/10 16:13:46.002791,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 621, in <module>
[2018/04/10 16:13:46.006441,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     get_credentials(lp)
[2018/04/10 16:13:46.006826,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
[2018/04/10 16:13:46.006930,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e
[2018/04/10 16:13:46.007037,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: RuntimeError: kinit for SERVER$@FSG.LAN failed (Cannot contact any KDC for requested realm)
[2018/04/10 16:13:46.007099,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: 
[2018/04/10 16:13:46.021901,  0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_ACCESS_DENIED

1 answers

solution1
 0 ACCPTED  2018-05-10 09:12:34

解决的问题:samba提供了自己的kerberos管理服务器-无需自己安装:S

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IIS: Using Kerberos with client computers that are not on the domain kinit(v5): Client not found in Kerberos database while getting initial credentials How to use Kerberos for samba authentication Kerberos authentication from virtual machine (Ubuntu) I'm having trouble authenticating over AD to windows machines from my ansible host. 'Server not found in Kerberos Database' on Ubuntu 16.10 Is it possible to obtain a kerberos ticket for a domain user from a device that is outside the domain? Samba share on domain joined server Samba Domain Member and DNS Problems Remove AD-user in domain A from AD-group in domain B while my client is in domain C in PowerShell Kerberos: kvno is '1' in client tickets
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM