我清楚地发现了一个我无法解决的问题。我怀疑我在 Windows Server 2003 上设置 Centos 6 上运行的服务时遗漏了某些内容。
首先,我告诉环境我正在工作以及我正在尝试做的事情,然后是问题。
我有一台不带 SP1 的 Windows Server 2003,其 IP 为 xxx.xxx.xxx.xxx,名称为 win2003srv2.ejemplo.org。
在拥有 Cyrus Imap Server 的同一个团队中,我也安装了 Thunderbird 作为邮件客户端进行测试。
在 Active Directory Windows Server 2003 中添加一个名为映射并且具有:
Logon Name: imap/[email protected]
Logon name of user (pre-Windows 2000): EJEMPLO\imap0.
重要的是@ejemplo.org 不要用大写,因为这是默认设置,并且无法在创建用户窗口中修改。
我已经为 imap 添加了 SPN,我的列表如下:
C:\Documents and Settings\Administrador>SETSPN -L prueba-mail
Registered ServicePrincipalNames for CN=prueba-mail,CN=Computers,DC=ejemplo,DC=org:
imap/prueba-mail.ejemplo.org:143
imap/prueba-mail
imap/prueba-mail.ejemplo.org
host/prueba-mail.ejemplo.org
host/prueba-mail
另外在 Windows Server 2003 上生成 keytab:
C:\Documents and Settings\Administrador\Escritorio\TEST>Ktpass -princ imap/[email protected] -mapuser imap -pass zzzzz -crypto DES-CBC-MD5 -out UNIXimap.keytab
Targeting domain controller: win2003srv2.ejemplo.org
Successfully mapped host/prueba-mail.ejemplo.org to imap0.
Key created.
Output keytab to UNIXimap.keytab:
Keytab version: 0x502
keysize 65 imap/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x85589d4fef0d5e20)
Account imap0 has been set for DES-only encryption.
然后将其添加到我有 imap 服务器的 keytab 中。
问题:
当我使用 Thunderbird 登录时,我查看 wireshark(它们被添加到这篇文章的末尾)以请求 TGS 票证“imap/test-mail.ejemplo.org”,但找不到它。
此外,如果我尝试执行此命令,也会发生同样的事情:
kvno imap/[email protected]
kvno: Server not found in Kerberos database while getting credentials for imap/[email protected]
但是 kvno imap/[电子邮件保护]效果很好:
kvno imap/[email protected]
imap/[email protected]: kvno = 59
这可能就是我找不到的服务吗?
如果你能找到这个“imap/[电子邮件保护]“因为我可以找到“imap/[电子邮件保护]“?”。
下面我展示了 krb5.conf 的内容和我使用 Wireshark 捕获的内容,如能得到任何帮助我将不胜感激。
------------------------- /etc/krb5.conf: ------------------------------------------------
[logging]
default = /var/log/krb5libs.log
kdc = /var/log/krb5kdc.log
admin_server = /var/log/kadmind.log
[libdefaults]
rdns = false
ignore_acceptor_hostname = true
default_realm = EJEMPLO.ORG
dns_lookup_kdc = false
dns_lookup_realm = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
allow_weak_crypto = yes
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
FNR.GUB.UY = {
kdc = xxx.xxx.xxx.xxx:88
}
[domain_realm]
.fnr.gub.uy = EJEMPLO.ORG
[login]
krb4_convert = false
------------------------------------- TGS-请求 ----------------------------------------------
No. Time Source Destination Protocol Info
6083 26.329448 yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx KRB5 TGS-REQ
Frame 6083 (647 bytes on wire, 647 bytes captured)
Arrival Time: Jul 26, 2013 11:24:05.747386000
[Time delta from previous captured frame: 0.012354000 seconds]
[Time delta from previous displayed frame: 26.329448000 seconds]
[Time since reference or first frame: 26.329448000 seconds]
Frame Number: 6083
Frame Length: 647 bytes
Capture Length: 647 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: CadmusCo_13:dd:bd (08:00:27:13:dd:bd), Dst: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Destination: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 633
Identification: 0x43c1 (17345)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xa9c2 [correct]
[Good: True]
[Bad : False]
Source: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: 58790 (58790), Dst Port: kerberos (88)
Source port: 58790 (58790)
Destination port: kerberos (88)
Length: 613
Checksum: 0x4d67 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E8201C6308201C2A003020105A10302010EA20703050000... AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: EJEMPLO.ORG
Server Name (Service and Instance): krbtgt/EJEMPLO.ORG
Name-type: Service and Instance (2)
Name: krbtgt
Name: EJEMPLO.ORG
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 0ACDE6D2981DBF829935A102CB4A7700DD762C8CFFC4B183...
Authenticator des-cbc-md5
Encryption type: des-cbc-md5 (3)
Authenticator data: 86588D7C6AA08BE142100084FBBB0968878E567AE10228B0...
KDC_REQ_BODY
Padding: 0
KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Realm: EJEMPLO.ORG
Server Name (Service and Host): imap/prueba-mail.ejemplo.org
Name-type: Service and Host (3)
Name: imap
Name: prueba-mail.ejemplo.org
till: 2013-07-27 00:14:39 (UTC)
Nonce: 1374848677
Encryption Types: des-cbc-md5
Encryption type: des-cbc-md5 (3)
- - - - - - - - - - - - - - - - - - - - - 回复 - - - - - - - - - - - - - - - - - - - - -
No. Time Source Destination Protocol Info
6084 26.330599 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 6084 (171 bytes on wire, 171 bytes captured)
Arrival Time: Jul 26, 2013 11:24:05.748537000
[Time delta from previous captured frame: 0.001151000 seconds]
[Time delta from previous displayed frame: 0.001151000 seconds]
[Time since reference or first frame: 26.330599000 seconds]
Frame Number: 6084
Frame Length: 171 bytes
Capture Length: 171 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Ibm_a5:b3:46 (00:09:6b:a5:b3:46), Dst: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Destination: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 157
Identification: 0x1ed3 (7891)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xd08c [correct]
[Good: True]
[Bad : False]
Source: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Destination: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 58790 (58790)
Source port: kerberos (88)
Destination port: 58790 (58790)
Length: 137
Checksum: 0xf316 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2013-07-26 14:24:37 (UTC)
susec: 524733
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EJEMPLO.ORG
Server Name (Service and Host): imap/prueba-mail.ejemplo.org
Name-type: Service and Host (3)
Name: imap
Name: prueba-mail.ejemplo.org
e-data