SLE 15 SP2ホストでActive Directory認証を構成しようとしています。 ADドメインには複数のDC / ADサーバーがあります。
私は次の指示に従いました。 https://www.suse.com/c/the-sssd-active-directory-and-sles-12-and-15/ https://www.suse.com/support/kb/doc/?id=000019549
特定のADサーバーを使用するようにホストを構成すると、すべてがうまく機能します。ただし、別のサーバーをインポートするようにホストを構成すると、しばらく正常に動作しても動作が停止します。何の問題もなくSSHを介してグループのADアカウントを認証できますが、SSSDサービスでは次のエラーが複数行表示されます。
"10 月 12 日 08:46:45 ホスト sssd[15569]: tkey クエリに失敗しました: GSSAPI エラー: メイン = 指定されていない GSS に失敗しました。 マイナー コードが追加情報を提供できます。ありません。」
複数のサイトで複数の設定を試しましたが、どちらも役に立ちませんでした。私は何が間違っていましたか?
ありがとうございます!
構成ファイル:
SSD構成ファイル
[sssd]
config_file_version = 2
services = nss,pam
domains = dom-ain.domain.com
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/dom-ain.domain.com]
debug_level=6
id_provider = ad
auth_provider = ad
cache_credentials = false
enumerate = false
override_homedir = /home/%d/%u
case_sensitive = true
ad_hostname = host.dom-ain.domain.com
simple_allow_groups = [email protected]
access_provider = simple
krb5.conf
includedir /etc/krb5.conf.d
[libdefaults]
dns_canonicalize_hostname = false
rdns = false
default_realm = DOM-AIN.DOMAIN.COM
default_ccache_name = /tmp/krb5cc_%{uid}
dns_lookup_realm = false
dns_lookup_kdc = true
allow_weak_crypto = false
[domain_realm]
.dom-ain.domain.com = DOM-AIN.DOMAIN.COM
dom-ain.domain.com = DOM-AIN.DOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMO
[realms]
DOM-AIN.DOMAIN.COM = {
default_domain = dom-ain.domain.com
}
LDAP構成ファイル
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap:// dom-ain.domain.com
BASE dc=doma-ain,dc=domain,dc=com
REFERRALS FF
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
passwd: compat sss
group: compat sss
shadow: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
smb構成ファイル
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
#[global]
# workgroup = DOM-AIN
# passdb backend = tdbsam
# printing = cups
# printcap name = cups
# printcap cache time = 750
# cups options = raw
# map to guest = Bad User
# logon path = \\%L\profiles\.msprofile
# logon home = \\%L\%U\.9xprofile
# logon drive = P:
# usershare allow guests = Yes
[global]
workgroup = DOM-AIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = DOM-AIN.DOMAIN.COM
security = ADS
create krb5 conf = no
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775