XenServer是采用likewise来管理加域的相关应用,一共有七个进程,netlogond/lwiod/dcerpcd/eventlogd/lsassd/lwsmd/lwregd
[root@raynor-xs-65 ~]# ps aux | grep likewise
root 10012 0.0 0.4 284292 3008 ? Sl Mar06 0:00 /opt/likewise/sbin/netlogond --syslog
root 10176 0.0 0.7 604588 4860 ? Sl Mar06 0:00 /opt/likewise/sbin/lwiod --syslog
root 10340 0.0 0.4 200380 2836 ? Sl Mar06 0:00 /opt/likewise/sbin/dcerpcd -f
root 10495 0.0 0.7 207148 4360 ? Sl Mar06 0:00 /opt/likewise/sbin/eventlogd --syslog
root 10680 0.0 1.5 1171000 9352 ? Sl Mar06 0:03 /opt/likewise/sbin/lsassd --syslog
root 15122 0.0 0.1 61216 768 pts/2 S+ 15:20 0:00 grep likewise
root 23854 0.0 0.3 378852 2212 ? Sl Mar06 0:01 /opt/likewise/sbin/lwsmd --start-as-daemon
root 23970 0.0 0.7 391636 4308 ? Sl Mar06 0:07 /opt/likewise/sbin/lwregd
[root@raynor-xs-65 ~]#
加域
点击XenCenter上的Join Domain,或者CLI中输入以下命令
[root@raynor-xs-65 ~]# xe pool-enable-external-auth auth-type=AD service-name=raynorli.com config:user=administrator config:pass=Citrix123
相关部分日志 xensource.log
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7014 INET 0.0.0.0:80|pool.enable_external_auth D:a7e90c181a4e|audit] Pool.enable_external_auth: pool = 'bb377604-cc28-10a1-f07c-ba6fb07a75a6 (raynor-xs-65-pool)'; service name = 'raynorli.com'; auth_type = 'AD'
通过XenCenter开始加域
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7014 INET 0.0.0.0:80|pool.enable_external_auth D:a7e90c181a4e|xapi] MASTER=raynor-xs-65, SLAVES=
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7014 INET 0.0.0.0:80|pool.enable_external_auth D:a7e90c181a4e|xapi] trying to enable external authentication on host raynor-xs-65
Mar 8 19:48:11 raynor-xs-65 xapi: [ info|raynor-xs-65|7019 UNIX /var/xapi/xapi|session.slave_login D:3d420f577d23|xapi] Session.create trackid=2138dc7c871af0c3e6e3ea8d0451b04f pool=true uname= originator= is_local_superuser=true auth_user_sid= parent=trackid=9834f5af41c964e225f24279aefe4e49
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|audit] Host.enable_external_auth: host = '5aa80c05-a755-44aa-839a-4137cc312530 (raynor-xs-65)'; service_name = 'raynorli.com'; auth_type = 'AD'
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|xapi] current external_auth_type is
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth] using external auth plugin AD
使用external auth plugin来连接AD
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Created process pid (FEFork (31,24696)) for cmd /usr/bin/domainjoin-cli "--minimal" "join" "--ignore-pam" "--ignore-ssh" "--notimesync" "raynorli.com" "administrator"
调用domainjoin-cli join domain username password
Mar 8 19:48:11 raynor-xs-65 xcp-rrdd: [debug|raynor-xs-65|0 monitor|main|rrdd_stats] system stats: MemTotal: 610000 KiB; MemFree: 28368 KiB; Buffered: 71948 KiB; Cached: 214896 KiB; SwapTotal: 524284 KiB; SwapFree: 524284 KiB
Mar 8 19:48:11 raynor-xs-65 xcp-rrdd: [debug|raynor-xs-65|0 monitor|main|rrdd_stats] Clock drift: -5
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Testing if external authentication server is accepting requests...
开始测试是否可以通过AD认证
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Created process pid (FEFork (32,25230)) for cmd /opt/likewise/bin/lw-find-user-by-name "--minimal" "raynorli.com\KRBTGT"
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Request 0/60 to external authentication server successful: user KRBTGT was found
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Created process pid (FEFork (32,25233)) for cmd /opt/likewise/bin/lw-find-by-sid "--minimal" "S-1-5-21-2992225824-2712024514-73898840-502"
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Request 0/60 to external authentication server successful: sid S-1-5-21-2992225824-2712024514-73898840-502 was found
由于曾经加域过,因此这台XenServer在域的Computer OU中存有SID的记录
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|storing external_auth_configuration D:c1786678955e|extauth_plugin_ADlikewise] added external_auth_configuration for host raynor-xs-65
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|xapi] Calling extauth plugin extauth-hook in host raynor-xs-65 with event after-extauth-enable and params (auth_type=AD),(service_name=raynorli.com),
调用extauth plugin
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth] Result of Extauth-hook: 'True'
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|xapi] external authentication service type AD for service name raynorli.com enabled successfully in host raynor-xs-65
Mar 6 19:10:45 raynor-xs-65 xapi: [ info|raynor-xs-65|144 UNIX /var/xapi/xapi||cli] xe pool-enable-external-auth auth-type=AD service-name=raynorli.com config:user=administrator config:pass=(omitted) username=root password=(omitted)
状态
XenServer上可以看到域的状态,同时在CLI中
[root@raynor-xs-65 ~]# xe subject-list
uuid ( RO) : 8620008b-5d32-8f73-599d-dd97949ef558
subject-identifier ( RO): S-1-5-21-2992225824-2712024514-73898840-1107
other-config (MRO): subject-name: RAYNORLI\a; subject-upn: a@RAYNORLI.COM; subject-uid: 1377305683; subject-gid: 1377305089; subject-sid: S-1-5-21-2992225824-2712024514-73898840-1107; subject-gecos: a; subject-displayname: a; subject-is-group: false; subject-account-disabled: false; subject-account-expired: false; subject-account-locked: false; subject-password-expired: false
roles (SRO):
AD中在Computer OU中可以看到这台XenServer的Hostname subject-name: RAYNORLI\a 是之前增加的一个域内用户作为管理员,还没有给这个用户设置role
退域
点击XenCenter上的Leave Domain,或者CLI中输入以下命令
[root@raynor-xs-65 ~]# xe pool-disable-external-auth
相关部分日志 xensource.log
Mar 7 17:50:54 raynor-xs-65 xapi: [ info|raynor-xs-65|3264 UNIX /var/xapi/xapi||cli] xe pool-disable-external-auth username=root password=(omitted)
命令行触发退域的行为
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3264 UNIX /var/xapi/xapi|pool.disable_external_auth D:7c093f2725ec|audit] Pool.disable_external_auth: pool = 'bb377604-cc28-10a1-f07c-ba6fb07a75a6 (raynor-xs-65-pool)'
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3264 UNIX /var/xapi/xapi|pool.disable_external_auth D:7c093f2725ec|xapi] MASTER=raynor-xs-65, SLAVES=
资源池中的主备行为,测试环境只有池中只有一台master
Mar 7 17:50:54 raynor-xs-65 xapi: [ info|raynor-xs-65|3266 UNIX /var/xapi/xapi|session.slave_login D:e6df8a4e1fb3|xapi] Session.create trackid=2c15667c3a4b60715acef9b200f9d0bc pool=true uname= originator= is_local_superuser=true auth_user_sid= parent=trackid=9834f5af41c964e225f24279aefe4e49
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|audit] Host.disable_external_auth: host = '5aa80c05-a755-44aa-839a-4137cc312530 (raynor-xs-65)'
池中主机开始退域
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] Calling extauth plugin extauth-hook in host raynor-xs-65 with event before-extauth-disable and params (auth_type=AD),(service_name=raynorli.com),
寻找extauth plugin extauth-hook
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth] Result of Extauth-hook: 'True'
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth] using external auth plugin AD
Mar 7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth_plugin_ADlikewise] Created process pid (FEFork (31,20569)) for cmd /usr/bin/domainjoin-cli "--minimal" "leave" "--ignore-pam" "--ignore-ssh"
调用domainjoin-cli leave来进行退域
Mar 7 17:50:56 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth_plugin_ADlikewise] Doing a manual Likewise domain-leave cleanup...
Likewise清理域信息
Mar 7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth_plugin_ADlikewise] execute /opt/xensource/libexec/lw-force-domain-leave: stdout=[SUCCESS;SUCCESS;SUCCESS;Stopping lsassd: [ OK ]^M;Stopping lwiod: [ OK ]^M;Stopping netlogond: [ OK ]^M;Stopping eventlogd: [ OK ]^M;Stopping dcerpcd: [ OK ]^M;],stderr=[]
停掉Likewise相关服务
Mar 7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|removing external_auth_configuration D:25b65d2c947b|extauth_plugin_ADlikewise] removed external_auth_configuration for host raynor-xs-65
Mar 7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] external authentication service disabled successfully in host raynor-xs-65
Mar 7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] calling revalidate_all_sessions after disabling external auth for host raynor-xs-65
Mar 7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] revalidating all external sessions in the local host
重新验证该主机上是否已经没有external auth
Mar 7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3264 UNIX /var/xapi/xapi|pool.disable_external_auth D:7c093f2725ec|xapi] The external authentication of all hosts in the pool was disabled successfully
常见错误
时间不同步导致加域失败,XenCenter上报错如下
"Failed","Enabling Active Directory Authentication on pool 'raynor-xs-65-pool' Could not enable external authentication: 40087 (0x9C97) LW_ERROR_CLOCK_SKEW - Clock skew detected with active directory server Host: raynor-xs-65 Time: 00:00:03","raynor-xs-65-pool","Mar 9, 2018 1:42 PM"
解决方法: 在xenserver上执行ntpdate -u来同步时间,然后在加域
example:
[root@raynor-xs-65 ~]# ntpdate -u 10.158.153.130
8 Mar 19:46:08 ntpdate[24358]: step time server 10.158.153.130 offset 556.638562 sec
[root@raynor-xs-65 ~]#
无法找到域控,XenCenter上报错如下
"Failed","Enabling Active Directory Authentication on pool 'raynor-xs-65-pool' The server was unable to contact your domain server to enable external authentication. Check that your settings are correct and a route to the server exists. Host: raynor-xs-65 Time: 00:00:03","raynor-xs-65-pool","Mar 9, 2018 2:18 PM"
解决方法: 检查/etc/resolv.conf中DNS的设置是否是域
example:
[root@raynor-xs-65 ~]# cat /etc/resolv.conf
nameserver 10.158.153.130
[root@raynor-xs-65 ~]#