Kerberos身份验证问题

时间:2019-03-22 17:46:33

标签: redhat kerberos kdc

请帮助了解我在做什么。

尝试通过kerberos连接:

kadmin -p root/admin
Password for root/admin@KRB5.COM: 
kadmin: Incorrect password while initializing kadmin interface

在日志中:

Mar 22 13:26:35 server1.com krb5kdc[4015](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) ::1: SERVER_NOT_FOUND: root/admin@KRB5.COM for kadmin/localhost@KRB5.COM, Server not found in Kerberos database
Mar 22 13:26:55 server1.com krb5kdc[4015](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) ::1: ISSUE: authtime 1553275615, etypes {rep=18 tkt=18 ses=18}, root/admin@KRB5.COM for kadmin/admin@KRB5.COM

但是为什么呢? 我已经创建了该主机和用户,例如:

kadmin.local: addprinc -randkey server1.com/krb5.com
kadmin.local: ktadd server1.com/krb5.com
kadmin.local: addprinc root/admin
kadmin.local: ktadd root/admin

我错过了什么?

配置krb5.conf:

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = KRB5.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 KRB5.COM = {
  kdc = server1.com
  admin_server = server1.com
 }

[domain_realm]
 .krb5.com = KRB5.COM
 krb5.com = KRB5.COM

kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KRB5.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

kadmin.acl

*/admin@KRB5.COM    *

P.S。主机名是server1.com 主机文件中的PS已添加localhost / server1.com的记录

0 个答案:

没有答案