rlm_krb5找不到密钥表条目

Question

c我正在使用rlm_krb5在RHEL7上设置3.x半径 但是，我似乎在使用密钥表时遇到麻烦。

也许有可能涉及池的配置步骤？ 可能需要以特定方式创建密钥表吗？

我有：

• 验证了功能性的2.x配置（在RHEL6上）
• 验证了服务prinicpal和keytab / w kinit＆klog
• 经过验证的密钥表和文件夹权限（750 grp = radiusd）提供访问权限（在2.x安装中可以使用640）
• 在/etc/krb5.conf中经过验证的kdc主机
• 发现/ usr / bin / libtool包含deplibs_check_method =“全部通过（vs deplibs_test_method）
• 尝试注释掉池实例以使配置看起来更像2.x config
• 试图更改/etc/krb5.conf的组所有权
• 尝试使用从RHEL6和RHEL7系统生成的密钥表
• 尝试使用kdestroy删除缓存文件/ tmp / krb_mycache，然后重新启动系统。 （由kinit生成）
• 试图在/ var /
下寻找应用程序缓存
• 试图操纵用于keytab的服务原理和密码

版本：

RHEL6

• freeradius-2.2.6-7.el6_9.x86_64
• freeradius-krb5-2.2.6-7.el6_9.x86_64
• freeradius-utils-2.2.6-7.el6_9.x86_64

RHEL7

• freeradius-krb5-3.0.13-9.el7_5.x86_64
• freeradius-utils-3.0.13-9.el7_5.x86_64
• freeradius-3.0.13-9.el7_5.x86_64

调试输出：

>radiusd -X
FreeRADIUS Version 3.0.13
...
  # Loaded module rlm_krb5
  # Loading module "krb5" from file /etc/raddb/mods-enabled/krb5
  krb5 {
      keytab = "/etc/raddb/kerb/radius.keytab"
      service_principal = "radius/myhost.mydomain"
  }
...
Using MIT Kerberos library
rlm_krb5 (krb5): Using service principal "radius/myhost.mydomain@MYDOMAIN"
rlm_krb5 (krb5): Using keytab "FILE:/etc/raddb/kerb/radius.keytab"
rlm_krb5 (krb5): Initialising connection pool
   pool {
       start = 5
       min = 3
       max = 32
       spare = 10
       uses = 0
       lifetime = 0
       cleanup_interval = 30
       idle_timeout = 0
       retry_delay = 1
       spread = no
   }
rlm_krb5 (krb5): Opening additional connection (0), 1 of 32 pending slots used
rlm_krb5 (krb5): Opening additional connection (1), 1 of 31 pending slots used
rlm_krb5 (krb5): Opening additional connection (2), 1 of 30 pending slots used
rlm_krb5 (krb5): Opening additional connection (3), 1 of 29 pending slots used
rlm_krb5 (krb5): Opening additional connection (4), 1 of 28 pending slots used
...
Ready to process requests
(0) Received Access-Request Id 205 from MYIP1:60506 to MYIP2:1812 length >78
...
(0) Found Auth-Type = Kerberos
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Auth-Type Kerberos {
rlm_krb5 (krb5): Reserved connection (0)
(0) krb5: Using client principal "myuser@MYDOMAIN"
(0) krb5: Retrieving and decrypting TGT
(0) krb5: Attempting to authenticate against service principal
(0) krb5: ERROR: Error verifying credentials (-1765328339): No key table entry found for radius/myhost.mydomain@MYDOMAIN
rlm_krb5 (krb5): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_krb5 (krb5): Opening additional connection (5), 1 of 27 pending slots used
(0)     [krb5] = fail
(0)   } # Auth-Type Kerberos = fail
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
...
Ready to process requests
^C

在krb5中操纵service_principle参数：

service_principal = radius/myhost.mydomain@MYDOMAIN

(0) krb5: ERROR: Error verifying credentials (-1765328203): No key table entry found for radius/myhost.mydomain\@mydomain@MYDOMAIN

service_principal =错误的名称_of_principle

(0) krb5: ERROR: Error verifying credentials (-1765328203): No key table entry found for wrong_name_of_principle/myhost.mydomain@MYDOMAIN

service_principal =半径

(0) krb5: ERROR: Error verifying credentials (-1765328339): No key table entry found for radius/myhost.mydomain@MYDOMAIN

使用正确的service_prinicple处理keytab中的错误密码：

(0) krb5: ERROR: Error verifying credentials (-1765328203): No key table entry found for radius/myhost.mydomain@MYDOMAIN

验证密钥标签：

kinit -V -k -t ./radius.keytab  radius/myhost.mydomain
Using default cache: /tmp/krb_mycache
Using principal: radius/myhost.mydomain@MYDOMAIN
Using keytab: ./radius.keytab
Authenticated to Kerberos v5

klist  -k ./radius.keytab
Keytab name: FILE:./radius.keytab
KVNO Principal
 ---- --------------------------------------------------------------------------
   1 radius/myhost.mydomain@MYDOMAIN

正在研究错误代码：

失败状态表明连接到kdc时出现问题。 rlm_krb5

fail The module was unable to connect to the Kerberos DC.

Appendix - Kerberos (krb5) Error Messages Kerberos v5 Status Codes

-1765328339 KRB5KRB_AP_ERR_NOKEY Service key not available

Kerberos Error Messages and Troubleshooting

Service key not available
Cause: The service ticket in the credentials cache may be incorrect.
Solution: Destroy current credential cache and rerun kinit before trying to use this service.