sudo kdestroy
sudo kinit -k
kinit: Client 'host/srv03.lettrich.local@LETTRICH.LOCAL' not found in Kerberos database while getting initial credentials

sudo klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  10 srv03$@LETTRICH.LOCAL (arcfour-hmac) 
  10 srv03$@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96) 
  10 srv03$@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96) 
  10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (arcfour-hmac) 
  10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96) 
  10 nfs/srv03.lettrich.local@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96) 
  10 host/srv03.lettrich.local@LETTRICH.LOCAL (arcfour-hmac) 
  10 host/srv03.lettrich.local@LETTRICH.LOCAL (aes128-cts-hmac-sha1-96) 
  10 host/srv03.lettrich.local@LETTRICH.LOCAL (aes256-cts-hmac-sha1-96)

cat /etc/exports
/export               gss/krb5(rw,fsid=0,no_subtree_check,sync,insecure,crossmnt,anonuid=65534,anongid=65534)
/export/users           gss/krb5(rw,nohide,anongid=65534)
/export/groups           gss/krb5(rw,anongid=65534)
/export/share           gss/krb5(rw,anongid=65534)
/export/backup           gss/krb5(rw,anongid=65534)

sudo mount -t nfs4 -o sec=krb5 srv03:/export /mnt

srv04 rpc.gssd[754]: ERROR: No credentials found for connection to server srv03

service principal name = nfs/srv03.lettrich.local; host/srv03.lettrich.local

首先,您应该直接注册并恢复新Linux服务器的DNS记录.在Windows域中注册.

其次,在Linux服务器中将DNS解析器指向Windows,并在linux中修改/ etc / hosts以获取正确的字段

第三,您必须安装Kerberos5和winbind应用程序/模块/库

四,配置/etc/krb5.conf：

[libdefaults]
    default_realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS

[realms]
    YOUR.FULL.DOMAIN.WITH.UPPER.CHARS = {
            kdc = list of IPs windows domain servers
            admin_server = one ip for master domain server
    }

[domain_realm]
    your.full.comain.with.lover.chars = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS

[logging]
#example logging
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

五,配置/etc/samba/smb.conf：

[global]
workgroup = YOUR.SHORT.DOMAIN.WITH.UPPER.CASE
netbios name = YOUR.SERVER.NAME.WITH.UPPER.CASE.WITHOUT.DOMAIN
realm = YOUR.FULL.DOMAIN.WITH.UPPER.CHARS
security = ads
password server = windows.ip.server.what.allows.password.change
wins server = as.above.supports.wins.messages
wins proxy = no
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
server string = write what you want using %h as host name
dns proxy = no
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
inherit acls = Yes
map acl inherit = Yes
acl group control

第六,验证您是否能够临时使用任何用户连接：

wbinfo -t   #test only
net getdomainsid  #should print local and domain identifier
wbinfo -u   #domain user list,may take long time for many users
wbinfo -g   #domain group list

第七,创建密码永不过期且无法更改的技术用户帐户.其他人则默认.将该用户收集在单独的AD目录中:)

第八,生成keytab：

net ads keytab create -U your.technical.user@YOUR.FULL.DOMAIN.WITH.UPPER.CHARS

然后检查/etc/krb5.keytab是否存在

现在您可以配置其他服务,特别是使用ntlm帮助程序.您可以使用以下方法测试连接：

ntlm_auth --username UPPER.CASE.SHORTNAME.DOMAIN+your.technical.username

写密码,你应该看到状态：

NT_STATUS_OK: Success (0x0)

现在您可以配置PAM来验证许多服务,但我没有这样做.我成功地使用apache2.2 ntlm身份验证配置.我看到了ssh和Xsession的pam配置.

主要思想是,只有winbind对Active Directory进行身份验证.所有其他服务以任何方式在本地验证winbind. Winbind是samba的一部分.如果你不需要samba,只安装winbind,这会安装一些samba库.

有时配置连接时,wbinfo无法连接.然后,您必须等待片刻信息传播5分钟或更长时间.

当然,所有mashines的时间应该是同步的.为此配置NTP.我正在使用debian,但ubuntu使所有类似于debian :)祝你好运.