我有一台机器安装了 Samba 4 AD,另一台机器作为客户端。运行两天后,突然kinit客户端停止工作。原因很神秘。它无法解析服务器的名称。它从 SRV 记录中获取名称bolbro.barbucha.local,但无法解析其 IP。
$ KRB5_TRACE=/dev/stdout kinit test
[4841] 1389479680.105645: Getting initial credentials for [email protected]
[4841] 1389479680.106009: Sending request (172 bytes) to BARBUCHA.LOCAL
[4841] 1389479680.115312: Resolving hostname bolbro.barbucha.local.
[4841] 1389479690.122000: Resolving hostname bolbro.barbucha.local.
kinit: Cannot contact any KDC for realm 'BARBUCHA.LOCAL' while getting initial credentials
但是,如果我更改文件内容/etc/krb5.conf而不更改服务器端的任何内容:
[libdefaults]
default_realm = BARBUCHA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
到:
[libdefaults]
default_realm = BARBUCHA.LOCAL
forwardable = true
proxiable = true
dns_lookup_kdc = true
[realms]
BARBUCHA.LOCAL = {
kdc = bolbro.barbucha.local
}
...然后它就正常工作了 - IP 地址被解析了。外行人对此感到惊奇,专家则感到惊讶。它怎么可能正确地解析了名称?
$ KRB5_TRACE=/dev/stdout kinit test
[4881] 1389479960.11821: Getting initial credentials for [email protected]
[4881] 1389479960.12298: Sending request (172 bytes) to BARBUCHA.LOCAL
[4881] 1389479960.12412: Resolving hostname bolbro.barbucha.local
[4881] 1389479960.12828: Sending initial UDP request to dgram 10.0.0.3:88
[4881] 1389479960.17680: Received answer from dgram 10.0.0.3:88
[4881] 1389479960.25280: Response was not from master KDC
[4881] 1389479960.25313: Received error from KDC: -1765328359/Additional pre-authentication required
[4881] 1389479960.25358: Processing preauth types: 16, 15, 2, 11, 19
[4881] 1389479960.25370: Selected etype info: etype rc4-hmac, salt "", params ""
Password for [email protected]:
此外:他们tcpdump告诉我,SRV 记录已解析至 IP 地址 10.0.0.3,但kinit没有使用它。
我认为某个地方有一个错误,但我无法知道是在服务器端还是在客户端。我也不知道这是 DNS 还是 Kerberos 的问题。我在 Google 上搜索了很长时间。有很多原因,但这种情况是更多错误状态的特殊组合。
然而,弄清楚这一点会很麻烦。如果您有任何建议,我将不胜感激。