我有一个非常类似于CentOS 6.3上描述的
in this thread问题,对2008R2 AD DC进行身份验证.
这是我的krb5.conf,我知道XXXXXXX.LOCAL是真正的域名:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = XXXXXXX.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true verify_ap_req_nofail = false [realms] XXXXXXX.LOCAL = { kdc = ad1.XXXXXXX.local kdc = ad2.XXXXXXX.local admin_server = ad1.XXXXXXX.local default_domain = XXXXXXX.LOCAL } [domain_realm] .XXXXXXX.local = XXXXXXX.LOCAL XXXXXXX.local = XXXXXXX.LOCAL .XXXXXXX.com = XXXXXXX.LOCAL XXXXXXX.com = XXXXXXX.LOCAL
我做的时候:
kinit username@XXXXXXX.LOCAL
一切都按预期工作,klist -e返回它应该的细节,但是当我尝试:
su username
[unpack_buffer] (0x0100): cmd [241] uid [10002] gid [10002] validate [false] offline [false] UPN [username@XXXXXXX.COM] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_10002_XXXXXX] keytab: [/etc/krb5.keytab] [krb5_child_setup] (0x0400): Will perform online auth [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false] [krb5_child_setup] (0x0100): Not using FAST. [get_and_save_tgt] (0x0400): Attempting kinit for realm [XXXXXXX.COM] [get_and_save_tgt] (0x0020): 977: [-1765328230][Cannot find KDC for requested realm] [kerr_handle_error] (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm] [prepare_response_message] (0x0400): Building response for result [-1765328230] [main] (0x0400): krb5_child completed successfully
我也知道XXXXXXX.COM是AD树中XXXXXXX.LOCAL的别名,并且运行:
kinit username@XXXXXXX.COM
产生与krb5_child.log完全相同的错误
kinit: Cannot find KDC for requested realm while getting initial credentials
在这个问题上我已经连续几天撞到了墙上,并且不胜感激.