XenServer6.5加域及相关常见问题

Raynor
2018-03-15
-
-

XenServer是采用likewise来管理加域的相关应用,一共有七个进程,netlogond/lwiod/dcerpcd/eventlogd/lsassd/lwsmd/lwregd

[root@raynor-xs-65 ~]# ps aux | grep likewise
root     10012  0.0  0.4 284292  3008 ?        Sl   Mar06   0:00 /opt/likewise/sbin/netlogond --syslog
root     10176  0.0  0.7 604588  4860 ?        Sl   Mar06   0:00 /opt/likewise/sbin/lwiod --syslog
root     10340  0.0  0.4 200380  2836 ?        Sl   Mar06   0:00 /opt/likewise/sbin/dcerpcd -f
root     10495  0.0  0.7 207148  4360 ?        Sl   Mar06   0:00 /opt/likewise/sbin/eventlogd --syslog
root     10680  0.0  1.5 1171000 9352 ?        Sl   Mar06   0:03 /opt/likewise/sbin/lsassd --syslog
root     15122  0.0  0.1  61216   768 pts/2    S+   15:20   0:00 grep likewise
root     23854  0.0  0.3 378852  2212 ?        Sl   Mar06   0:01 /opt/likewise/sbin/lwsmd --start-as-daemon
root     23970  0.0  0.7 391636  4308 ?        Sl   Mar06   0:07 /opt/likewise/sbin/lwregd
[root@raynor-xs-65 ~]#

加域

点击XenCenter上的Join Domain,或者CLI中输入以下命令

[root@raynor-xs-65 ~]# xe pool-enable-external-auth auth-type=AD service-name=raynorli.com config:user=administrator config:pass=Citrix123

相关部分日志 xensource.log

Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7014 INET 0.0.0.0:80|pool.enable_external_auth D:a7e90c181a4e|audit] Pool.enable_external_auth: pool = 'bb377604-cc28-10a1-f07c-ba6fb07a75a6 (raynor-xs-65-pool)'; service name = 'raynorli.com'; auth_type = 'AD'

通过XenCenter开始加域

Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7014 INET 0.0.0.0:80|pool.enable_external_auth D:a7e90c181a4e|xapi] MASTER=raynor-xs-65, SLAVES=
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7014 INET 0.0.0.0:80|pool.enable_external_auth D:a7e90c181a4e|xapi] trying to enable external authentication on host raynor-xs-65
Mar 8 19:48:11 raynor-xs-65 xapi: [ info|raynor-xs-65|7019 UNIX /var/xapi/xapi|session.slave_login D:3d420f577d23|xapi] Session.create trackid=2138dc7c871af0c3e6e3ea8d0451b04f pool=true uname= originator= is_local_superuser=true auth_user_sid= parent=trackid=9834f5af41c964e225f24279aefe4e49
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|audit] Host.enable_external_auth: host = '5aa80c05-a755-44aa-839a-4137cc312530 (raynor-xs-65)'; service_name = 'raynorli.com'; auth_type = 'AD'
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|xapi] current external_auth_type is
Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth] using external auth plugin AD

使用external auth plugin来连接AD

Mar 8 19:48:11 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Created process pid (FEFork (31,24696)) for cmd /usr/bin/domainjoin-cli "--minimal" "join" "--ignore-pam" "--ignore-ssh" "--notimesync" "raynorli.com" "administrator"

调用domainjoin-cli join domain username password

Mar 8 19:48:11 raynor-xs-65 xcp-rrdd: [debug|raynor-xs-65|0 monitor|main|rrdd_stats] system stats: MemTotal: 610000 KiB; MemFree: 28368 KiB; Buffered: 71948 KiB; Cached: 214896 KiB; SwapTotal: 524284 KiB; SwapFree: 524284 KiB
Mar 8 19:48:11 raynor-xs-65 xcp-rrdd: [debug|raynor-xs-65|0 monitor|main|rrdd_stats] Clock drift: -5
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Testing if external authentication server is accepting requests...

开始测试是否可以通过AD认证

Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Created process pid (FEFork (32,25230)) for cmd /opt/likewise/bin/lw-find-user-by-name "--minimal" "raynorli.com\KRBTGT"
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Request 0/60 to external authentication server successful: user KRBTGT was found
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Created process pid (FEFork (32,25233)) for cmd /opt/likewise/bin/lw-find-by-sid "--minimal" "S-1-5-21-2992225824-2712024514-73898840-502"
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth_plugin_ADlikewise] Request 0/60 to external authentication server successful: sid S-1-5-21-2992225824-2712024514-73898840-502 was found

由于曾经加域过,因此这台XenServer在域的Computer OU中存有SID的记录

Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|storing external_auth_configuration D:c1786678955e|extauth_plugin_ADlikewise] added external_auth_configuration for host raynor-xs-65
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|xapi] Calling extauth plugin extauth-hook in host raynor-xs-65 with event after-extauth-enable and params (auth_type=AD),(service_name=raynorli.com),

调用extauth plugin

Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|extauth] Result of Extauth-hook: 'True'
Mar 8 19:48:17 raynor-xs-65 xapi: [debug|raynor-xs-65|7021 UNIX /var/xapi/xapi|host.enable_external_auth D:87a353f1b85c|xapi] external authentication service type AD for service name raynorli.com enabled successfully in host raynor-xs-65

Mar 6 19:10:45 raynor-xs-65 xapi: [ info|raynor-xs-65|144 UNIX /var/xapi/xapi||cli] xe pool-enable-external-auth auth-type=AD service-name=raynorli.com config:user=administrator config:pass=(omitted) username=root password=(omitted)

状态

XenServer上可以看到域的状态,同时在CLI中

[root@raynor-xs-65 ~]# xe subject-list
uuid ( RO)                  : 8620008b-5d32-8f73-599d-dd97949ef558
    subject-identifier ( RO): S-1-5-21-2992225824-2712024514-73898840-1107
          other-config (MRO): subject-name: RAYNORLI\a; subject-upn: a@RAYNORLI.COM; subject-uid: 1377305683; subject-gid: 1377305089; subject-sid: S-1-5-21-2992225824-2712024514-73898840-1107; subject-gecos: a; subject-displayname: a; subject-is-group: false; subject-account-disabled: false; subject-account-expired: false; subject-account-locked: false; subject-password-expired: false
                 roles (SRO):

AD中在Computer OU中可以看到这台XenServer的Hostname subject-name: RAYNORLI\a 是之前增加的一个域内用户作为管理员,还没有给这个用户设置role

退域

点击XenCenter上的Leave Domain,或者CLI中输入以下命令

[root@raynor-xs-65 ~]# xe pool-disable-external-auth

相关部分日志 xensource.log

Mar  7 17:50:54 raynor-xs-65 xapi: [ info|raynor-xs-65|3264 UNIX /var/xapi/xapi||cli] xe pool-disable-external-auth username=root password=(omitted)   

命令行触发退域的行为

Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3264 UNIX /var/xapi/xapi|pool.disable_external_auth D:7c093f2725ec|audit] Pool.disable_external_auth: pool = 'bb377604-cc28-10a1-f07c-ba6fb07a75a6 (raynor-xs-65-pool)'
Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3264 UNIX /var/xapi/xapi|pool.disable_external_auth D:7c093f2725ec|xapi] MASTER=raynor-xs-65, SLAVES=   

资源池中的主备行为,测试环境只有池中只有一台master

Mar  7 17:50:54 raynor-xs-65 xapi: [ info|raynor-xs-65|3266 UNIX /var/xapi/xapi|session.slave_login D:e6df8a4e1fb3|xapi] Session.create trackid=2c15667c3a4b60715acef9b200f9d0bc pool=true uname= originator= is_local_superuser=true auth_user_sid= parent=trackid=9834f5af41c964e225f24279aefe4e49
Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|audit] Host.disable_external_auth: host = '5aa80c05-a755-44aa-839a-4137cc312530 (raynor-xs-65)'  

池中主机开始退域

Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] Calling extauth plugin extauth-hook in host raynor-xs-65 with event before-extauth-disable and params (auth_type=AD),(service_name=raynorli.com),  

寻找extauth plugin extauth-hook

Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth] Result of Extauth-hook: 'True'
Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth] using external auth plugin AD
Mar  7 17:50:54 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth_plugin_ADlikewise] Created process pid (FEFork (31,20569)) for cmd /usr/bin/domainjoin-cli "--minimal" "leave" "--ignore-pam" "--ignore-ssh"  

调用domainjoin-cli leave来进行退域

Mar  7 17:50:56 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth_plugin_ADlikewise] Doing a manual Likewise domain-leave cleanup...  

Likewise清理域信息

Mar  7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|extauth_plugin_ADlikewise] execute /opt/xensource/libexec/lw-force-domain-leave: stdout=[SUCCESS;SUCCESS;SUCCESS;Stopping lsassd: [  OK  ]^M;Stopping lwiod: [  OK  ]^M;Stopping netlogond: [  OK  ]^M;Stopping eventlogd: [  OK  ]^M;Stopping dcerpcd: [  OK  ]^M;],stderr=[]  

停掉Likewise相关服务

Mar  7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|removing external_auth_configuration D:25b65d2c947b|extauth_plugin_ADlikewise] removed external_auth_configuration for host raynor-xs-65
Mar  7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] external authentication service disabled successfully in host raynor-xs-65
Mar  7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] calling revalidate_all_sessions after disabling external auth for host raynor-xs-65
Mar  7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3268 UNIX /var/xapi/xapi|host.disable_external_auth D:c6c33a3c36a3|xapi] revalidating all external sessions in the local host   

重新验证该主机上是否已经没有external auth

Mar  7 17:51:00 raynor-xs-65 xapi: [debug|raynor-xs-65|3264 UNIX /var/xapi/xapi|pool.disable_external_auth D:7c093f2725ec|xapi] The external authentication of all hosts in the pool was disabled successfully

常见错误

时间不同步导致加域失败,XenCenter上报错如下 

"Failed","Enabling Active Directory Authentication on pool 'raynor-xs-65-pool' Could not enable external authentication: 40087 (0x9C97) LW_ERROR_CLOCK_SKEW - Clock skew detected with active directory server Host: raynor-xs-65 Time: 00:00:03","raynor-xs-65-pool","Mar 9, 2018 1:42 PM" 

解决方法: 在xenserver上执行ntpdate -u来同步时间,然后在加域 

example: 

[root@raynor-xs-65 ~]# ntpdate -u 10.158.153.130 
8 Mar 19:46:08 ntpdate[24358]: step time server 10.158.153.130 offset 556.638562 sec 
[root@raynor-xs-65 ~]#

无法找到域控,XenCenter上报错如下 

"Failed","Enabling Active Directory Authentication on pool 'raynor-xs-65-pool' The server was unable to contact your domain server to enable external authentication. Check that your settings are correct and a route to the server exists. Host: raynor-xs-65 Time: 00:00:03","raynor-xs-65-pool","Mar 9, 2018 2:18 PM" 

解决方法: 检查/etc/resolv.conf中DNS的设置是否是域 

example: 

[root@raynor-xs-65 ~]# cat /etc/resolv.conf 
nameserver 10.158.153.130 
[root@raynor-xs-65 ~]#

“您的支持是我持续分享的动力”

微信收款码
微信
支付宝收款码
支付宝

目录关闭