运行 kvno imap/ 时[电子邮件保护]获取 imap/ 凭据时出现以下错误:kvno:在 Kerberos 数据库中未找到服务器[电子邮件保护]
我展示了 wireshark 中的设置和步骤以及捕获的内容,希望能对您有所帮助。
我有一台装有 AD 的 Windows Server 2003,其 IP 为 yyy.yyy.yyy.yyy,其名称为 win2003。用户客户端使用 Windows 并已安装适用于 Windows 的 Kerberos并使用 Thunderbird 作为邮件客户端。
我还有一台装有 Centos 6 的计算机,其 IP 为 xxx.xxx.xxx.xxx,其名称为 prueba-mail,您安装了 Postfix + Cyrus Imap。如果我从装有 Centos 6 的计算机执行 nslookup yyy.yyy.yyy.yyy ,则运行正常。如果我从装有 Windows Server 2003 的计算机执行 nslookup xxx.xxx.xxx.xxx ,则运行正常。
我想从 Windows 客户端进行 SSO,因此请按照以下步骤操作:
1) 在 AD 中为每个服务(imap 等)创建一个用户。这些用户已启用“对此帐户使用 DES 加密类型”、“不需要 Kerberos 预身份验证”、“用户无法更改密码”、“密码永不过期”。
2)当我在 Windows 2003 中运行 setspn -L 时,显示以下内容:
host/prueba-mail.ejemplo.org
imap/prueba-mail.ejemplo.org
3)在Windows 2003中运行以下命令:
Ktpass -princ host/[email protected] -mapuser host -pass password -crypto DES-CBC-MD5 -out UNIXhost.keytab
Ktpass -princ imap/[email protected] -mapuser imap -pass password -crypto DES-CBC-MD5 -out UNIXimap.keytab
4) 在 UNIXhost.keytab 中添加 UNIXimap.keytab 然后我将 UNIXhost.keytab 复制两份到 /etc/krb5.keytab 和 /etc/krb5.keytab.cyrus 还运行 chown cyrus /etc/krb5.keytab.cyrus
我展示配置+wireshark 捕获。
---------------------------------------- /etc/krb5.conf ----------------------------------------------------------------
[logging]
default = /var/log/krb5libs.log
kdc = /var/log/krb5kdc.log
admin_server = /var/log/kadmind.log
[libdefaults]
default_realm = EJEMPLO.ORG
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
allow_weak_crypto = yes
[realms]
EJEMPLO.ORG = {
kdc = YYY.YYY.YYY.YYY:88
admin_server = YYY.YYY.YYY.YYY
password_server = YYY.YYY.YYY.YYY
default_domain = EJEMPLO.ORG
}
[domain_realm]
.ejemplo.org = EJEMPLO.ORG
[login]
krb4_convert = false
---------------------------------- 请求(wireshark)-------------------------------
No. Time Source Destination Protocol Info
109625 191.215550 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy KRB5 TGS-REQ
Frame 109625 (681 bytes on wire, 681 bytes captured)
Arrival Time: Jul 17, 2013 17:34:59.991270000
[Time delta from previous captured frame: 0.014822000 seconds]
[Time delta from previous displayed frame: 191.215550000 seconds]
[Time since reference or first frame: 191.215550000 seconds]
Frame Number: 109625
Frame Length: 681 bytes
Capture Length: 681 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: CadmusCo_13:dd:bd (08:00:27:13:dd:bd), Dst: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Destination: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 667
Identification: 0x25c6 (9670)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xc79b [correct]
[Good: True]
[Bad : False]
Source: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Destination: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
User Datagram Protocol, Src Port: 58345 (58345), Dst Port: kerberos (88)
Source port: 58345 (58345)
Destination port: kerberos (88)
Length: 647
Checksum: 0x4d89 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E8201D6308201D2A003020105A10302010EA20703050000... AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: EJEMPLO.ORG
Server Name (Service and Instance): krbtgt/EJEMPLO.ORG
Name-type: Service and Instance (2)
Name: krbtgt
Name: EJEMPLO.ORG
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 61BCF5140DC42B2D3963D13F7784BEAAFE642F9EB7ADE907...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: AA6A2E97EF2F71052880E7004209B535DC5ACBE517063A17...
KDC_REQ_BODY
Padding: 0
KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Realm: EJEMPLO.ORG
Server Name (Principal): imap/prueba-mail.ejemplo.org
Name-type: Principal (1)
Name: imap
Name: prueba-mail.ejemplo.org
till: 2013-07-18 06:32:17 (UTC)
Nonce: 1374093338
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-md4 (2)
--------------------------------- 回复 (wireshark) --------------------------------------
No. Time Source Destination Protocol Info
109626 191.217040 yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 109626 (171 bytes on wire, 171 bytes captured)
Arrival Time: Jul 17, 2013 17:34:59.992760000
[Time delta from previous captured frame: 0.001490000 seconds]
[Time delta from previous displayed frame: 0.001490000 seconds]
[Time since reference or first frame: 191.217040000 seconds]
Frame Number: 109626
Frame Length: 171 bytes
Capture Length: 171 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Ibm_a5:b3:46 (00:09:6b:a5:b3:46), Dst: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Destination: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 157
Identification: 0x7913 (30995)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x764c [correct]
[Good: True]
[Bad : False]
Source: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 58345 (58345)
Source port: kerberos (88)
Destination port: 58345 (58345)
Length: 137
Checksum: 0xa6b2 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2013-07-17 20:35:39 (UTC)
susec: 806620
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EJEMPLO.ORG
Server Name (Principal): imap/prueba-mail.ejemplo.org
Name-type: Principal (1)
Name: imap
Name: prueba-mail.ejemplo.org
e-data