freeradius+Active Directory時ntlm_auth出現問題

freeradius+Active Directory時ntlm_auth出現問題

最近在做freeradius+windows Active Directory ，在實驗過程中遇到了幾個問題，請各位大俠們指點以下
已知環境：系統大環境為fc6，samba安裝採用yum install ，版本為Version 3.0.23c-2. Active Directory 為windows server 2003

standard edition ，ip地址為192.168.0.93, 域名為HIZILIN.COM .已知Active Directory中有帳號xiaoqiang ,密碼：pass#word3

問題情況：在fc6大環境下安裝的samba移植到一個經過裁剪的小系統上，出現了下列錯誤。
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass      
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而這種配置在fc6大環境下去可以通過驗證 。我的操作步驟、配置文件及log日誌如下，請各位大俠們幫忙分析一下。
步驟如下：
kinit Administrator@HIZILIN.COM
Password for Administrator@HIZILIN.COM:
/usr/kerberos/bin/klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@HIZILIN.COM

Valid starting     Expires            Service principal
04/17/09 10:52:49  04/17/09 20:52:59  krbtgt/HIZILIN.COM@HIZILIN.COM
        renew until 04/18/09 10:52:49
net ads join -U Administrator%tao123456789
utils/net_ads.c:ads_startup(281)
  ads_connect: Operations error

net rpc join -U Administrator%tao123456789
Joined domain HIZILIN.


smbclient -L HIZILIN.COM -U xiaoqiang%pass#word3
Domain= OS= Server=

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC             NETLOGON        Disk      Logon server share
        ADMIN$          Disk            SYSVOL          Disk      Logon server share
        C$              Disk      session request to HIZILIN.COM failed (Called name not present)
session request to HIZILIN failed (Called name not present)
Domain= OS= Server=

        Server               Comment
        ---------            -------
        2K3SERVER            
        CHINA                SSSSSS
        LOCALHOST            Linux Samba

        Workgroup            Master
        ---------            -------
        HIZILIN              2K3SERVER
        MSHOME               GAO
        WORKGROUP            JUJUMAO

wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -g
Error looking up domain groups

wbinfo -u
Error looking up domain users

wbinfo -D HIZILIN.COM
Name              : HIZILIN
Alt_Name          : HIZILIN.COM
SID               : S-1-5-21-2458468695-833675311-4109839019
Active Directory  : Yes
Native            : No
Primary           : Yes
Sequence          : -1

wbinfo -a xiaoqiang%pass#word3
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user xiaoqiang%pass#word3 with plaintext password
challenge/response password authentication succeeded

ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass#word3
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)
ntlm_auth --request-nt-key --domain=HIZILIN.COM --username=xiaoqiang --password=pass      
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

配置文件如下：
grep -v "^;" /etc/samba/smb.conf |grep -v "^#"|grep -v "^$"

workgroup = HIZILIN
   server string = SSSSSS
   security = ads
username map = /etc/samba/smbusers
cups options = raw
   log file = /var/log/samba/%m.log
   max log size = 50
realm = HIZILIN.COM
   wins server = 192.168.0.93
   dns proxy = no

grep -v "^;" /etc/krb5.conf |grep -v "^#"|grep -v "^$"     

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = HIZILIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

.hizilin.com = HIZILIN.COM
hizilin.com = HIZILIN.COM

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
   

HIZILIN.COM = {
kdc = HIZILIN.COM:88
}

grep -v "^;" /etc/nsswitch.conf |grep -v "^#"|grep -v "^$"
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns
bootparams: nisplus files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus

hostname
china

cat /etc/hosts
127.0.0.1 china
::1 china
192.168.0.93 HIZILIN.COM

cat /etc/resolv.conf
search china
nameserver 192.168.0.93
nameserver 218.56.57.58

samba相關log
cat smbd.log
smbd/server.c:main(847)
  smbd version 3.0.23c-2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/nt_printing.c:nt_printing_init(649)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused
printing/print_cups.c:cups_cache_reload(85)
  Unable to connect to CUPS server localhost - Connection refused

cat nmbd.log
nmbd/nmbd.c:main(700)
  Netbios nameserver version 3.0.23c-2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
  *****
  
  Samba name server CHINA is now a local master browser for workgroup HIZILIN on subnet 192.168.0.82
  
  *****
cat winbindd.log
nsswitch/winbindd.c:main(953)
  winbindd version 3.0.23c-2 started.
  Copyright The Samba Team 2000-2004
nsswitch/winbindd_util.c:winbindd_param_init(787)
  winbindd: idmap uid range missing or invalid
nsswitch/winbindd_util.c:winbindd_param_init(788)
  winbindd: cannot continue, exiting.
nsswitch/winbindd.c:main(986)
  Could not init idmap -- netlogon proxy only
lib/pidfile.c:pidfile_create(93)
  ERROR: winbindd is already running. File /var/run/winbindd.pid exists and process id 6721 is running.
nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error

cat log.wb-HIZILIN
nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error
nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain HIZILIN failed: Operations error

請各位大俠們給分析一下，哪裡出錯了。尤其是在兩個ntlm_auth命令中為什麼用--password=pass 就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
而用--password=pass#word3時就提示NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)呢？

回復 #1 hiziqin 的帖子

使用freeradius 又使用2003的active Directory ？
還是只使用其中的一個

兩個組合使用。2003 Active Directory中存放用戶帳號，radius將終端用戶的用戶名和密碼與Active Directory 中帳號比較，進行認證。

怎麼沒人回復啊！繼續尋求問題的解決方式！

Tags: