freeradius+Active Directory時ntlm_auth出現問題
最近在做freeradius+windows Active Directory ,在實驗過程中遇到了幾個問題,請各位大俠們指點以下
已知環境:系統大環境為fc6,samba安裝採用yum install ,版本為Version 3.0.23c-2. Active Directory 為windows server 2003
standard edition ,ip地址為192.168.0.93, 域名為HIZILIN.COM .已知Active Directory中有帳號xiaoqiang ,密碼:pass#word3
問題情況:在fc6大環境下安裝的samba移植到一個經過裁剪的小系統上,出現了下列錯誤。
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而這種配置在fc6大環境下去可以通過驗證 。我的操作步驟、配置文件及log日誌如下,請各位大俠們幫忙分析一下。
步驟如下:
kinit Administrator@HIZILIN.COM
Password for Administrator@HIZILIN.COM:
/usr/kerberos/bin/klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@HIZILIN.COM
Valid starting Expires Service principal
04/17/09 10:52:49 04/17/09 20:52:59 krbtgt/HIZILIN.COM@HIZILIN.COM
renew until 04/18/09 10:52:49
net ads join -U Administrator%tao123456789
utils/net_ads.c:ads_startup(281)
ads_connect: Operations error
net rpc join -U Administrator%tao123456789
Joined domain HIZILIN.
smbclient -L HIZILIN.COM -U xiaoqiang%pass#word3
Domain= OS= Server=
Sharename Type Comment
--------- ---- -------
IPC$ IPC NETLOGON Disk Logon server share
ADMIN$ Disk SYSVOL Disk Logon server share
C$ Disk session request to HIZILIN.COM failed (Called name not present)
session request to HIZILIN failed (Called name not present)
Domain= OS= Server=
Server Comment
--------- -------
2K3SERVER
CHINA SSSSSS
LOCALHOST Linux Samba
Workgroup Master
--------- -------
HIZILIN 2K3SERVER
MSHOME GAO
WORKGROUP JUJUMAO
wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -g
Error looking up domain groups
wbinfo -u
Error looking up domain users
wbinfo -D HIZILIN.COM
Name : HIZILIN
Alt_Name : HIZILIN.COM
SID : S-1-5-21-2458468695-833675311-4109839019
Active Directory : Yes
Native : No
Primary : Yes
Sequence : -1
wbinfo -a xiaoqiang%pass#word3
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user xiaoqiang%pass#word3 with plaintext password
challenge/response password authentication succeeded
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
配置文件如下:
grep -v "^;" /etc/samba/smb.conf |grep -v "^#"|grep -v "^$"
workgroup = HIZILIN
server string = SSSSSS
security = ads
username map = /etc/samba/smbusers
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
realm = HIZILIN.COM
wins server = 192.168.0.93
dns proxy = no
grep -v "^;" /etc/krb5.conf |grep -v "^#"|grep -v "^$"
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = HIZILIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
.hizilin.com = HIZILIN.COM
hizilin.com = HIZILIN.COM
profile = /var/kerberos/krb5kdc/kdc.conf
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
HIZILIN.COM = {
kdc = HIZILIN.COM:88
}
grep -v "^;" /etc/nsswitch.conf |grep -v "^#"|grep -v "^$"
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
hostname
china
cat /etc/hosts
127.0.0.1 china
::1 china
192.168.0.93 HIZILIN.COM
cat /etc/resolv.conf
search china
nameserver 192.168.0.93
nameserver 218.56.57.58
samba相關log
cat smbd.log
smbd/server.c:main(847)
smbd version 3.0.23c-2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/nt_printing.c:nt_printing_init(649)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
Unable to connect to CUPS server localhost - Connection refused
cat nmbd.log
nmbd/nmbd.c:main(700)
Netbios nameserver version 3.0.23c-2 started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*****
Samba name server CHINA is now a local master browser for workgroup HIZILIN on subnet 192.168.0.82
*****
cat winbindd.log
nsswitch/winbindd.c:main(953)
winbindd version 3.0.23c-2 started.
Copyright The Samba Team 2000-2004
nsswitch/winbindd_util.c:winbindd_param_init(787)
winbindd: idmap uid range missing or invalid
nsswitch/winbindd_util.c:winbindd_param_init(788)
winbindd: cannot continue, exiting.
nsswitch/winbindd.c:main(986)
Could not init idmap -- netlogon proxy only
lib/pidfile.c:pidfile_create(93)
ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 6721 is running.
nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
cat log.wb-HIZILIN
nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain HIZILIN failed: Operations error
請各位大俠們給分析一下,哪裡出錯了。尤其是在兩個ntlm_auth命令中為什麼用--password=pass 就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而用--password=pass#word3時就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)呢?
《解決方案》
回復 #1 hiziqin 的帖子
使用freeradius 又使用2003的active Directory ?
還是只使用其中的一個
《解決方案》
兩個組合使用。2003 Active Directory中存放用戶帳號,radius將終端用戶的用戶名和密碼與Active Directory 中帳號比較,進行認證。
《解決方案》
怎麼沒人回復啊!繼續尋求問題的解決方式!