Linux domain join errors - AWS Directory Service
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Linux domain join errors

以下内容可帮助您排除在将 EC2 Linux 实例加入 AWS Managed Microsoft AD 目录时可能遇到的一些错误消息。

Linux 实例无法加入域或进行身份验证

Ubuntu 14.04, 16.04, and 18.04 instances must be reverse-resolvable in the DNS before a realm can work with Microsoft AD. Otherwise, you might encounter one of the following two scenarios:

场景 1:Ubuntu 实例尚未加入领域

对于尝试加入领域的 Ubuntu 实例,则该 sudo realm join 命令可能不会提供加入域所需的权限并可能显示以下错误:

! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success) adcli: couldn't connect to EXAMPLE.COM domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success) ! Insufficient permissions to join the domain realm: Couldn't join realm: Insufficient permissions to join the domain

场景 2:Ubuntu 实例已加入领域

对于已加入 Microsoft AD 域的 Ubuntu 实例,SSH 尝试使用域凭证进入实例可能会失败,并显示以下错误:

$ ssh admin@EXAMPLE.COM@198.51.100

no such identity: /Users/username/.ssh/id_ed25519: No such file or directory

admin@EXAMPLE.COM@198.51.100's password:

Permission denied, please try again.

admin@EXAMPLE.COM@198.51.100's password:

If you log in to the instance with a public key and check /var/log/auth.log, you might see the following errors about being unable to find the user:

May 12 01:02:12 ip-192-0-2-0 sshd[2251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.0

May 12 01:02:12 ip-192-0-2-0 sshd[2251]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.0 user=admin@EXAMPLE.COM

May 12 01:02:12 ip-192-0-2-0 sshd[2251]: pam_sss(sshd:auth): received for user admin@EXAMPLE.COM: 10 (User not known to the underlying authentication module)

May 12 01:02:14 ip-192-0-2-0 sshd[2251]: Failed password for invalid user admin@EXAMPLE.COM from 203.0.113.0 port 13344 ssh2

May 12 01:02:15 ip-192-0-2-0 sshd[2251]: Connection closed by 203.0.113.0 [preauth]

However, kinit for the user still works. See this example:

ubuntu@ip-192-0-2-0:~$ kinit admin@EXAMPLE.COM Password for admin@EXAMPLE.COM: ubuntu@ip-192-0-2-0:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: admin@EXAMPLE.COM

Workaround

The current recommended workaround for both of these scenarios is to disable reverse DNS in /etc/krb5.conf in the [libdefaults] section as shown below:

[libdefaults] default_realm = EXAMPLE.COM rdns = false

One-way trust authentication issue with seamless domain join

If you have a one-way outgoing trust established between your AWS Managed Microsoft AD and your on-premises AD, you might encounter an authentication issue when attempting to authenticate against the domain joined Linux instance using your trusted AD credentials with Winbind.

Errors

Jul 31 00:00:00 EC2AMAZ-LSMWqT sshd[23832]: Failed password for user@corp.example.com from xxx.xxx.xxx.xxx port 18309 ssh2

Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): getting password (0x00000390)

Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): pam_get_item returned a password

Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS: **NT_STATUS_OBJECT_NAME_NOT_FOUND**, Error message was: The object name is not found.

Jul 31 00:05:00 EC2AMAZ-LSMWqT sshd[23832]: pam_winbind(sshd:auth): internal module error (retval = PAM_SYSTEM_ERR(4), user = 'CORP\user')

Workaround

To resolve this issue, you will need to comment out or remove a directive from the PAM module configuration file (/etc/security/pam_winbind.conf) using the following steps.

  1. 在文本编辑器中打开 /etc/security/pam_winbind.conf 文件。

    sudo vim /etc/security/pam_winbind.conf
  2. Comment out or remove the following directive krb5_auth = yes.

    [global] cached_login = yes krb5_ccache_type = FILE #krb5_auth = yes
  3. Stop the Winbind service, and then start it again.

    service winbind stop or systemctl stop winbind net cache flush service winbind start or systemctl start winbind