我想设置一项服务来使用 nagios 检查 kdc。使用我的 kdc (samba4),我使用此脚本创建用户
#!/bin/bash
USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv
samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDN
然后我复制 nagios 服务器上的密钥表并重新启动服务
scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagios
权限没问题
ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul 2 02:25 /etc/nagios/nagios.keytab
钥匙看起来还可以
klist -ke /etc/nagios/nagios.keytab
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nagioskerberos/[email protected] (aes256-cts-hmac-sha1-96)
但是当我尝试检查时...
./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/[email protected] -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/[email protected]' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/[email protected] from /etc/nagios/nagios.keytab)
为什么?
这是服务器 samba4 和服务器 nagios 的 krb5.conf
[libdefaults]
default_realm = MYHOST.PRIV
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
找到解决方案。
首先我改变我的脚本
从
到
我重新创建用户。
在导出选项卡和复制之前我这样做了
修改这一行
出口..
复制密钥表,重新启动 nagios 并...