Я пытаюсь настроить SSSD для работы с удаленным Active Directory.У меня уже есть локальный MIT KDC.
При запуске SSSD я получаю следующую ошибку:
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/master.hadoop.domain.com
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)]
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2067
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ad.domain.com' as 'not working'
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ad.domain.com' as 'not working'
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_handle_release] (0x2000): Trace: sh[0x563c43dbf280], connected[1], ops[(nil)], ldap[0x563c43dbab20], destructor_lock[0], release_memory[0]
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #1
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [get_server_status] (0x1000): Status of server 'ad.domain.com' is 'name resolved'
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [get_port_status] (0x1000): Port status of port 0 for server 'ad.domain.com' is 'not working'
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #2
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #3
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_done] (0x4000): attempting failover retry on op #4
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
(Tue Feb 19 12:06:31 2019) [sssd[be[AD.LOCAL]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
Вот определение области AD в /etc/sssd/sssd.conf:
[domain/AD.LOCAL]
krb5_realm = AD.LOCAL
ad_hostname = ad.domain.com
ad_server = ad.domain.com
debug_level = 9
enumerate = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
ldap_user_principal = userPrincipalName
ldap_id_mapping = true
ldap_force_upper_case_realm = true
case_sensitive = false
ldap_access_order = filter,expire
ldap_account_expire_policy = ad
account_cache_expiration = 15
ldap_schema = ad
entry_cache_timeout = 3
Вперед и назад nslookup работает на всех доменах (ad.domain.com, master.hadoop.domain.com)
Что здесь может быть не так?
Кроме того, мне нужно SAMPA для работы SSSD?
Спасибо