我有一个非常类似于CentOS 6.3上描述的 in this thread问题,对2008R2 AD DC进行身份验证.

这是我的krb5.conf,我知道XXXXXXX.LOCAL是真正的域名：

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = XXXXXXX.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 verify_ap_req_nofail = false

[realms]
 XXXXXXX.LOCAL = {
 kdc = ad1.XXXXXXX.local
 kdc = ad2.XXXXXXX.local
 admin_server = ad1.XXXXXXX.local
 default_domain = XXXXXXX.LOCAL
}

[domain_realm]
 .XXXXXXX.local = XXXXXXX.LOCAL
 XXXXXXX.local = XXXXXXX.LOCAL
 .XXXXXXX.com = XXXXXXX.LOCAL
 XXXXXXX.com = XXXXXXX.LOCAL

我做的时候：

kinit username@XXXXXXX.LOCAL

一切都按预期工作,klist -e返回它应该的细节,但是当我尝试：

su username

sssd krb5_child.log显示以下内容：

[unpack_buffer] (0x0100): cmd [241] uid [10002] gid [10002] validate [false] offline [false] UPN [username@XXXXXXX.COM]
[unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_10002_XXXXXX] keytab: [/etc/krb5.keytab]
[krb5_child_setup] (0x0400): Will perform online auth
[krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
[krb5_child_setup] (0x0100): Not using FAST.
[get_and_save_tgt] (0x0400): Attempting kinit for realm [XXXXXXX.COM]
[get_and_save_tgt] (0x0020): 977: [-1765328230][Cannot find KDC for requested realm]
[kerr_handle_error] (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm]
[prepare_response_message] (0x0400): Building response for result [-1765328230]
[main] (0x0400): krb5_child completed successfully

我也知道XXXXXXX.COM是AD树中XXXXXXX.LOCAL的别名,并且运行：

kinit username@XXXXXXX.COM

产生与krb5_child.log完全相同的错误

kinit: Cannot find KDC for requested realm while getting initial credentials

在这个问题上我已经连续几天撞到了墙上,并且不胜感激.