我的 FreeBSD 机器使用 Heimdal Kerberos 实现。它在公司 AD 中注册,其msDS-KeyVersionNumber-attribute 设置为 2,其 keytab 具有以下条目:
FILE:/etc/krb5.keytab:
Vno Type Principal Aliases
2 aes256-cts-hmac-sha1-96 [email protected]
2 aes128-cts-hmac-sha1-96 [email protected]
2 des3-cbc-sha1 [email protected]
2 arcfour-hmac-md5 [email protected]
2 des-cbc-md5 [email protected]
2 des-cbc-crc [email protected]
2 aes256-cts-hmac-sha1-96 host/[email protected]
2 aes128-cts-hmac-sha1-96 host/[email protected]
2 des3-cbc-sha1 host/[email protected]
2 arcfour-hmac-md5 host/[email protected]
2 des-cbc-md5 host/[email protected]
2 des-cbc-crc host/[email protected]
2 aes256-cts-hmac-sha1-96 nfs/[email protected]
2 aes128-cts-hmac-sha1-96 nfs/[email protected]
2 des3-cbc-sha1 nfs/[email protected]
2 arcfour-hmac-md5 nfs/[email protected]
2 des-cbc-md5 nfs/[email protected]
2 des-cbc-crc nfs/[email protected]
2 aes256-cts-hmac-sha1-96 nfs/[email protected]
2 aes128-cts-hmac-sha1-96 nfs/[email protected]
2 des3-cbc-sha1 nfs/[email protected]
2 arcfour-hmac-md5 nfs/[email protected]
2 des-cbc-md5 nfs/[email protected]
2 des-cbc-crc nfs/[email protected]
2 aes256-cts-hmac-sha1-96 http/[email protected]
2 aes128-cts-hmac-sha1-96 http/[email protected]
2 des3-cbc-sha1 http/[email protected]
2 arcfour-hmac-md5 http/[email protected]
2 des-cbc-md5 http/[email protected]
2 des-cbc-crc http/[email protected]
2 aes256-cts-hmac-sha1-96 http/[email protected]
2 aes128-cts-hmac-sha1-96 http/[email protected]
2 des3-cbc-sha1 http/[email protected]
2 arcfour-hmac-md5 http/[email protected]
2 des-cbc-md5 http/[email protected]
2 des-cbc-crc http/[email protected]
2 aes256-cts-hmac-sha1-96 ftp/[email protected]
2 aes128-cts-hmac-sha1-96 ftp/[email protected]
2 des3-cbc-sha1 ftp/[email protected]
2 arcfour-hmac-md5 ftp/[email protected]
2 des-cbc-md5 ftp/[email protected]
2 des-cbc-crc ftp/[email protected]
2 aes256-cts-hmac-sha1-96 ftp/[email protected]
2 aes128-cts-hmac-sha1-96 ftp/[email protected]
2 des3-cbc-sha1 ftp/[email protected]
2 arcfour-hmac-md5 ftp/[email protected]
2 des-cbc-md5 ftp/[email protected]
2 des-cbc-crc ftp/[email protected]
2 aes256-cts-hmac-sha1-96 cifs/[email protected]
2 aes128-cts-hmac-sha1-96 cifs/[email protected]
2 des3-cbc-sha1 cifs/[email protected]
2 arcfour-hmac-md5 cifs/[email protected]
2 des-cbc-md5 cifs/[email protected]
2 des-cbc-crc cifs/[email protected]
2 aes256-cts-hmac-sha1-96 cifs/[email protected]
2 aes128-cts-hmac-sha1-96 cifs/[email protected]
2 des3-cbc-sha1 cifs/[email protected]
2 arcfour-hmac-md5 cifs/[email protected]
2 des-cbc-md5 cifs/[email protected]
2 des-cbc-crc cifs/[email protected]
但是,尝试使用 GSSAPI 身份验证从其他主机登录失败。sshd使用该-d选项运行时,我看到以下错误消息:
Failed to find host/[email protected](kvno 10) in keytab FILE:/etc/krb5.keytab (aes256-cts-hmac-sha1-96)
为什么它寻找的是 kvno 10 而不是 2?