domain-name-system – 无法使用realmd将Fedora 20计算机加入Active Directory RODC

前端之家收集整理的这篇文章主要介绍了domain-name-system – 无法使用realmd将Fedora 20计算机加入Active Directory RODC前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我对Active Directory了解不多,但我对它的作用有一些基本的了解.我一直在尝试将Fedora 20计算机加入域中,并且遇到了一些问题.我这样运行了realm命令:
sudo realm join -v -U [admin user] [hostname of RODC]

出于某种原因,我必须使用只读域控制器的主机名.如果我使用域名,我会收到以下错误

* Resolving: _ldap._tcp.[domain]
 ! Discovery timed out after 15 seconds

如果我指定RODC的主机名,一切顺利:它解析,请求在命令中指定的admin用户的密码进行身份验证,但在设置计算机帐户的密码时失败:

* Resolving: _ldap._tcp.[RODC host name]
 * Resolving: [RODC host name]
 * Performing LDAP DSE lookup on: [internal IP of RODC]
 * Successfully discovered: [domain]
Password for [domain admin]: 
 * required files: /usr/sbin/oddjobd,/usr/libexec/oddjob/mkhomedir,/usr/sbin/sssd,/usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain [domain] --domain-realm [domain,in caps] --domain-controller [internal IP of RODC] --login-type user --login-user [domain admin] --stdin-password
 * Using domain name: [domain]
 * Calculated computer account name from fqdn: [machine host name,in caps/computer account]
 * Using domain realm: [domain]
 * Sending cldap pings to domain controller: [internal IP of RODC]
 * Received Netlogon info from: [host name of RODC,in caps].[domain]
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-pMXPuH/krb5.d/adcli-krb5-conf-OcXLS5
 * Authenticated as user: [admin user]@[domain,in caps]
 * Looked up short domain name: [short name]
 * Using fully qualified name: [machine host name].[domain]
 * Using domain name: [domain name]
 * Using computer account name: [computer account]
 * Using domain realm: [domain name]
 * Enrolling computer account name calculated from fqdn: [computer account]
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: [machine host name].[domain]
 * Using domain name: [domain]
 * Using computer account name: [computer account]
 * Using domain realm: [domain]
 * Looked up short domain name: [short name]
 * Found computer account for [computer account]$at: CN=[computer account],OU=[redacted] Computers,OU=[redacted],DC=[redacted],DC=[redacted]
 ! Couldn't set password for computer account: [computer account]$: Incorrect net address
adcli: joining domain [domain] Failed: Couldn't set password for computer account: [computer account]$: Incorrect net address
 ! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain

做一些搜索,我发现TechNet article提到“错误的网址”错误作为DNS问题.我应该先在哪里查看解决此问题的方法

解决方法

您看到此错误的原因是您无法写入RODC来创建密码. AD在创建对象时创建计算机密码,在加入域时创建随机生成的密码.

您必须依赖Kerberos来缓存服务器密码,当您加入RODC时它不会提示您.首先在特定Linux服务器的可写DC上创建一个keytab文件,然后将其移动到那里,最好是/etc/krb5.keytab并将权限设置为600.

猜你在找的HTML相关文章