服务器是RHEL7,Kerberos是AD(Windows)。我只是KDC的客户。
Arcfour-hmac 工作正常,但是当我将加密类型更改为 aes-256 并设置新的密钥表时,kinit 仍然可以工作,但 kvno 不能。即使用户似乎拥有有效的票证(在 klist 中),他也无法再启动服务。
我无权访问 Kerberos AD,但它似乎已正确配置为使用 aes-256,因为最终用户(在 Windows 计算机上)已经请求此加密类型的票证。
我的 krb5.conf :
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
这是当我尝试使用 kvno 获取票证时遇到的错误:
[2477332] 1493147723.961912: Getting credentials [email protected] -> nn/[email protected] using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving [email protected] -> nn/[email protected] from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving [email protected] -> krbtgt/[email protected] from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected]
[2477332] 1493147723.962274: Requesting tickets for nn/[email protected], referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist - 获取我的密钥表
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/[email protected] (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/[email protected] (aes256-cts-hmac-sha1-96)
感谢您的帮助
我最近刚刚遇到这个问题并且能够解决它。
对于我们来说,AD 使用的盐与 Kerberos 客户端默认使用的盐不同。
也就是说,使用 ktutil 时:
加号-密码-p[电子邮件受保护]-k 4 -e arcfour-hmac
密码为[电子邮件受保护]:
生成一个 keytab 文件,我可以用它来 kinit 作为该主体。然而:
ktutil:加号-密码-p[电子邮件受保护]-k 1 -e aes256-cts-hmac-sha1-96
密码为[电子邮件受保护]:
未生成允许成功 kinit 的密钥表文件。 (预授权失败)。
我必须这样做:
ktutil:加号-密码-p[电子邮件受保护]-k 1 -e aes256-cts-hmac-sha1-96 -f
密码为[电子邮件受保护]:
它告诉 ktutil 从 AD DC 获取盐信息。然后它使用正确的盐。这会生成一个允许成功 kinit 的密钥表文件。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)