从WinXP登录到Ubuntu16.04 Samba域时使用Kerberos CLIENT_NOT_FOUND

Question

由于Samba完全有能力替代Active Directory，因此我计划为学校网络进行设置（使用旧的XP和Win7客户端）。 我从Ubuntu 16.04 LTS存储库安装了所有软件包。

设置服务器效果很好，但是通过WinXP加入域后，我无法登录：“找不到用户名或域”。

/var/log/auth.log

Mar 26 14:41:39 server krb5kdc[967]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.103: CLIENT_NOT_FOUND: chrglo@FSG for krbtgt/FSG@FSG, Client not found in Kerberos database
Mar 26 14:41:39 server krb5kdc[967]: DISPATCH: repeated (retransmitted?) request from 192.168.0.103, resending previous response

但是帐户chrglo存在于Kerberos中：

fsgadmin@server:~$ kinit chrglo
Password for chrglo@FSG.LAN:
fsgadmin@server:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: chrglo@FSG.LAN
Valid starting       Expires              Service principal
26.03.2018 14:43:42  27.03.2018 00:43:42  krbtgt/FSG.LAN@FSG.LAN
renew until 27.03.2018 14:43:39`

我尝试了几种（！）Google搜索结果来处理各种（但不完全相同）此类问题。 但是他们都没有帮助。

这是我的Kerberos配置：

/etc/krb5.conf

[libdefaults]
    default_realm = FSG.LAN
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]
    FSG.LAN = {
            kdc = server.fsg:88
            admin_server = server.fsg:749
            default_domain = FSG
    }

[domain_realm]
    .fsg.lan = FSG.LAN
    fsg.lan = FSG.LAN

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

和我的Samba配置：

/etc/samba/smb.conf

[global]
    workgroup = FSG
    realm = FSG.LAN
    netbios name = SERVER
    server role = active directory domain controller
    dns forwarder = 192.168.0.254
    idmap_ldb:use rfc2307 = yes

这是XP客户端（服务器和客户端都在VirtualBox中运行）的一些屏幕截图：客户端已添加到域中，并提供使用该域的登录名，但是在（先前注意到的）错误消息后停止。

客户加入网域

域登录屏幕上的客户端

登录尝试后出错

有谁知道我在哪里搞砸配置？

格洛克

/ EDIT：为了提供更多信息：DHCP是通过外部设备完成的。

/ etc / hosts

127.0.0.1   localhost localhost.fsg

192.168.0.250   server.fsg server

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/ EDIT2：请求的ipconfig / ifconfig：

ipconfig / all在xp客户端上

在服务器上：

fsgadmin@server:~$ ifconfig
enp0s3    Link encap:Ethernet  Hardware Adresse 08:00:27:ef:bc:56  
      inet Adresse:192.168.0.250  Bcast:192.168.0.255  Maske:255.255.255.0
      inet6-Adresse: fe80::a00:27ff:feef:bc56/64 Gültigkeitsbereich:Verbindung
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
      RX-Pakete:154 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
      TX-Pakete:82 Fehler:0 Verloren:0 Überläufe:0 Träger:0
      Kollisionen:0 Sendewarteschlangenlänge:1000 
      RX-Bytes:18341 (18.3 KB)  TX-Bytes:11263 (11.2 KB)

lo        Link encap:Lokale Schleife  
      inet Adresse:127.0.0.1  Maske:255.0.0.0
      inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
      UP LOOPBACK RUNNING  MTU:65536  Metrik:1
      RX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
      TX-Pakete:650 Fehler:0 Verloren:0 Überläufe:0 Träger:0
      Kollisionen:0 Sendewarteschlangenlänge:1 
      RX-Bytes:52072 (52.0 KB)  TX-Bytes:52072 (52.0 KB)

此外 ：当客户端加入域时，服务器上正在发生一些auth.log（加入时我使用了Samba内置的Administrator帐户信息）：

Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response
Apr 10 16:11:54 server krb5kdc[1037]: AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.235: CLIENT_NOT_FOUND: Administrator@fsg.lan for krbtgt/fsg.lan@fsg.lan, Client not found in Kerberos database
Apr 10 16:11:54 server krb5kdc[1037]: DISPATCH: repeated (retransmitted?) request from 192.168.0.235, resending previous response

同样，将东西记录到samba / log.samba

[2018/04/10 16:13:45.999444,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
[2018/04/10 16:13:46.002791,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 621, in <module>
[2018/04/10 16:13:46.006441,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     get_credentials(lp)
[2018/04/10 16:13:46.006826,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 125, in get_credentials
[2018/04/10 16:13:46.006930,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e
[2018/04/10 16:13:46.007037,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: RuntimeError: kinit for SERVER$@FSG.LAN failed (Cannot contact any KDC for requested realm)
[2018/04/10 16:13:46.007099,  0] ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: 
[2018/04/10 16:13:46.021901,  0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_ACCESS_DENIED

Answer 1

解决的问题：samba提供了自己的kerberos管理服务器-无需自己安装：S