服务器是RHEL7,Kerberos是AD(Windows)。我只是KDC的客户。
Arcfour-hmac工作正常但是当我将加密类型更改为aes-256并设置新的keytab时,kinit仍然有效,但不是kvno。即使用户似乎拥有有效的票证(在klist中),他也无法再启动服务。
我无法访问Kerberos AD,但似乎已正确配置为使用aes-256,因为最终用户(在Windows计算机上)已经请求此加密类型的票证。
我的krb5.conf:
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
这是我在尝试使用kvno获取票证时遇到的错误:
[2477332] 1493147723.961912: Getting credentials myuser@TOTO.NET -> nn/myserver@TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser@TOTO.NET -> nn/myserver@TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser@TOTO.NET -> krbtgt/TOTO.NET@TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser@TOTO.NET -> krbtgt/TOTO.NET@TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver@TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01@TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02@TOTO.NET (aes256-cts-hmac-sha1-96)
感谢您的帮助
答案 0 :(得分:5)
请您的AD管理员在与keytab关联的AD帐户上启用对AES-256加密类型的支持。要查找该帐户,请运行以下命令:
(000003)29.05.2017 14:38:19 - (not logged in) (127.0.0.1)> Connected on port 21, sending welcome message...
(000003)29.05.2017 14:38:19 - (not logged in) (127.0.0.1)> 220-FileZilla Server 0.9.60 beta
(000003)29.05.2017 14:38:19 - (not logged in) (127.0.0.1)> 220-written by Tim Kosse (tim.kosse@filezilla-project.org)
(000003)29.05.2017 14:38:19 - (not logged in) (127.0.0.1)> 220 Please visit https://filezilla-project.org/
(000003)29.05.2017 14:38:19 - (not logged in) (127.0.0.1)> AUTH TLS
(000003)29.05.2017 14:38:19 - (not logged in) (127.0.0.1)> 234 Using authentication type TLS
(000003)29.05.2017 14:39:19 - (not logged in) (127.0.0.1)> 421 Login time exceeded. Closing control connection.
(000003)29.05.2017 14:39:19 - (not logged in) (127.0.0.1)> disconnected.
输出会告诉您帐户的名称。它将以CN = xxx开头,其中" xxx"是AD帐户的名称。要在AD帐户上启用对AES-256加密类型的支持,请告知AD管理员该复选框"此帐户支持Kerberos AES 256位加密"必须检查,并在“帐户”标签下找到,一直在底部。
答案 1 :(得分:0)
我最近才遇到此问题,并能够解决。
对我们来说,这是AD使用的盐与Kerberos客户端默认使用的盐不同。
也就是说,当使用ktutil时: 附加-password -p servicepuppetnp@AMER.EXAMPLE.COM -k 4 -e arcfour-hmac admspike_white@AMER.EXAMPLE.COM的密码:
生成一个密钥表文件,我可以将其用作主体。而:
ktutil:附加-password -p admspike_white@AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 admspike_white@AMER.EXAMPLE.COM的密码:
没有产生允许成功初始化的keytab文件。 (预身份验证失败)。
我必须这样做:
ktutil:附加-password -p admspike_white@AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 -f admspike_white@AMER.EXAMPLE.COM的密码:
告诉ktutil从AD DC获取盐信息。然后使用正确的盐。生成一个密钥表文件,该文件可以成功进行初始化。