我有两个 AD 域,我正在尝试将 NFS 与 Kerberos 结合使用。部分过程需要分别为主机创建密钥表文件,并为客户端和服务器创建 nfs 主体。我在两个 DC 上使用相同的批处理文件在 AD 中创建计算机和用户条目以及密钥表文件。其中一个 AD 中的密钥表文件工作正常,但另一个 AD 中的所有密钥表文件都失败,并显示:
rob@hostname: [NFS_Kerberos_Keytabs]$ kinit -V host/[email protected] -k -t hostname_host_REALM.DOM.COM.keytab
Using default cache: /tmp/krb5cc_1000
Using principal: host/[email protected]
Using keytab: hostname_host_REALM.DOM.COM.keytab
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials
在进行设置时,我首先在数据库中创建了一个计算机条目:
# extended LDIF
#
# LDAPv3
# base <cn=computers,dc=realm,dc=dom,dc=com> with scope subtree
# filter: (name=hostname)
# requesting: ALL
#
# hostname, Computers, realm.dom.com
dn: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: hostname
distinguishedName: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com
instanceType: 4
whenCreated: 20160128162300.0Z
whenChanged: 20160128162300.0Z
uSNCreated: 174308
uSNChanged: 174312
name: hostname
objectGUID:: jd23ti+U/USCbuyzfWj5rQ==
userAccountControl: 4128
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 130984717800613071
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPLDEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: HOSTNAME$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
然后我创建了一个用户条目:
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=realm,dc=dom,dc=com> with scope subtree
# filter: (&(ObjectClass=person)(name=hostname host))
# requesting: ALL
#
# hostname host, Users, realm.dom.com
dn: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: hostname host
sn: host
givenName: hostname
distinguishedName: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com
instanceType: 4
whenCreated: 20160129074155.0Z
whenChanged: 20160309164621.0Z
displayName: hostname host
uSNCreated: 174516
uSNChanged: 179340
name: hostname host
objectGUID:: Uaw7Gk2n0keDHjIAiRaPqw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131020165954163706
pwdLastSet: 131020155817310122
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPPjEAAA==
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: hostname-host
sAMAccountType: 805306368
userPrincipalName: host/[email protected]
servicePrincipalName: host/hostname.sub.dom.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
然后我在 DC 上运行 ktpass 来创建 keytab 文件:
C:\Users\rob.marshall>ktpass -princ host/[email protected] -out hostname_host_REALM.DOM.COM.keytab -mapuser [email protected] -mapOp set -crypto all -ptype KRB5_NT_PRINCIPAL +rndPass
Targeting domain controller: WIN-F2DD88GD7U9.realm.dom.com
Using legacy password setting method
Successfully mapped host/hostname.sub.dom.com to hostname-host.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to hostname_test04.keytab:
Keytab version: 0x502
keysize 70 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa219dcdc0d232a7f)
keysize 70 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa219dcdc0d232a7f)
keysize 78 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x2c3d1d1cbf52afe3a7190bdaa0107fed)
keysize 94 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x4f4b4f5d3f401c7ef885c94989e5561cc74fa607b07c6135c78450625bfb007e)
keysize 78 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x3704104525c61565296a343d6092209f)
检查密钥表文件:
rob@robs-ubuntu2: [NFS_Kerberos_Keytabs]$ klist -kte hostname_host_REALM.DOM.COM.keytab
Keytab name: FILE:hostname_host_REALM.DOM.COM.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 12/31/1969 19:00:00 host/[email protected] (des-cbc-crc)
2 12/31/1969 19:00:00 host/[email protected] (des-cbc-md5)
2 12/31/1969 19:00:00 host/[email protected] (arcfour-hmac)
2 12/31/1969 19:00:00 host/[email protected] (aes256-cts-hmac-sha1-96)
2 12/31/1969 19:00:00 host/[email protected] (aes128-cts-hmac-sha1-96)
我再次在另一个 AD DC 上执行了完全相同的操作(REALM 除外),并且密钥表文件工作正常。有人知道我在这里做错了什么吗?不起作用的 AD 密钥表来自 Windows 系统,该系统显示版本为:“Windows Server Enterprise”,版权为 2007 和 SP 1。另一个是 Windows 2012 R2。
谢谢你的帮助,
抢