我已成功将 ubuntu 机器(Ubuntu 20.04 LTS)加入到 Active Directory。因此,我可以使用 AD-Accounts 登录,为用户获取并更新票证授予票证,并通过 Kerberos 身份验证访问网络共享。
但是,我很难获得计算机帐户的初始凭据:
admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
[sudo] password for admin:
[232252] 1645435537.855061: Getting initial credentials for host/[email protected]
[232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts
[232252] 1645435537.855064: Sending unauthenticated request
[232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN
[232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88
[232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88
[232252] 1645435537.855068: Response was from master KDC
[232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials
我在这个问题上花了几个小时没有进展。可能我错过了一些基本步骤。请求的主体包含在 ubuntu 机器上的本地密钥表中:
root@comp01:~$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 02/17/2022 07:34:59 [email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 [email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 [email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 host/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
并且主体也在 AD-Domain 控制器上注册:
> setspn -L comp01
Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan:
RestrictedKrbHost/comp01.company.lan
host/comp01.company.lan
RestrictedKrbHost/COMP01
host/COMP01
ubuntu 机器已加入 AD 域,使用
> realm join company.lan
而Kerberos配置文件如下:
[libdefaults]
default_realm = COMPANY.LAN
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
COMPANY.LAN = {
kdc = DC.company.lan
admin_server = DC.company.lan
default_domain = company.lan
}
[domain_realm]
.company.lan = COMPANY.LAN
company.lan = COMPANY.LAN
正向和反向 DNS 看起来也不错:
> nslookup comp01
Server: DC.company.lan
Address: 172.27.17.41
Name: comp01.company.lan
Address: 172.27.17.131
> nslookup 172.27.17.131
Server: DC.company.lan
Address: 172.27.17.41
Name: comp01.company.lan
Address: 172.27.17.131
我真的很感谢任何指引我朝着正确方向前进的提示。
对于 Active Directory 风格的 Kerberos,“用户”(客户端)和“服务”(目标)主体名称之间存在区别。具体来说,只有帐户的 sAMAccountName 可以充当客户端主体,其 SPN 不能。
计算机对象的帐户名始终是大写的主机名,并以 . 为后缀
$
,例如,对于名为“COMP01”的计算机,帐户名将是COMP01$
。同时
host/comp01
并且host/comp01.company.lan
仅作为服务主体存在——AD KDC 将为请求“host/comp01”作为目标服务器的客户端发出票证,但不允许它们在初始身份验证期间充当客户端。它们存在于您的密钥表中,仅用于“接受者”方面。