Debian 中的 Kerberos 设置错误无法联系任何领域的 KDC

tag-icon tag-icon debian kerberos
Debian 中的 Kerberos 设置错误无法联系任何领域的 KDC

我正在尝试启动并运行 Kerberos KDC 服务器,但不知何故卡在了远程访问 KDC 服务上。当我从另一个 Linux (Debian Stretch) 系统尝试“kinit”时,我总是收到错误“kinit:获取初始凭据时无法联系领域‘DOMAIN.TLD’的任何 KDC”。

KDC 和管理服务已安装在 Debian Stretch (9.3) 系统上,所有软件包均已更新。相关配置文件的概述如下。

KDC 服务器配置

首先是具有固定 IP 地址的 Kerberos 服务器(FQDN:kdc.domain.tld),其主机名位于 DNS 区域文件(以及反向区域)中。我使用以下命令安装了 Kerberos 软件包:

$ sudo apt-get install krb5-{admin-server,kdc} -y

相关配置文件

/etc/hosts

127.0.0.1       localhost
192.168.1.2     client.domain.tld client
192.168.1.3     kdc.domain.tld kdc

/etc/resolv.conf

domain domain.tld
search domain.tld
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4

/etc/krb5.conf

[libdefaults]
  default_realm = DOMAIN.TLD
# The following krb5.conf variables are only for MIT Kerberos.
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
  fcc-mit-ticketflags = true
[realms]
  DOMAIN.TLD = {
    kdc = kdc.domain.tld
    admin_server = kdc.domain.tld
    default_domain = domain.tld
  }
[domain_realm]
  .domain.tld = DOMAIN.TLD
  domain.tld = DOMAIN.TLD
[logging]
  default = FILE:/var/log/kerberos/krb5-libs.log
  kdc = FILE:/var/log/kerberos/krb5-kdc.log
  admin_server = FILE:/var/log/kerberos/krb5-admin.log

kadmin.local listprincs 输出

K/[email protected]
userid/[email protected]
[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]

防火墙已“关闭”:

$ iptables -S (on the KDC server, where I've disabled ufw):
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output

KDC 服务正在监听 88 端口:

$ netstat -antup | grep krb (output on the KDC server):
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      528/krb5kdc
tcp6       0      0 :::88                   :::*                    LISTEN      528/krb5kdc
udp        0      0 0.0.0.0:750             0.0.0.0:*                           528/krb5kdc
udp        0      0 0.0.0.0:88              0.0.0.0:*                           528/krb5kdc
udp6       0      0 :::750                  :::*                                528/krb5kdc
udp6       0      0 :::88                   :::*                                528/krb5kdc

当我在 KDC 服务器上运行“kinit”时,它按预期工作:

$ KRB5_TRACE=/dev/stdout kinit -V
Using default cache: /tmp/krb5cc_1000
Using principal: [email protected]
Getting initial credentials for [email protected]
Sending request (181 bytes) to DOMAIN.TLD
Resolving hostname kdc.domain.tld
Sending initial UDP request to dgram 192.168.1.3:88
Received answer (274 bytes) from dgram 192.168.1.3:88
Response was not from master KDC
Received error from KDC: -1765328359/Additional pre-authentication required
Processing preauth types: 136, 19, 2, 133
Selected etype info: etype aes256-cts, salt "DOMAIN.TLDuserid", params ""
Received cookie: MIT
Password for [email protected]:
AS key obtained for encrypted timestamp: aes256-cts/000C
...etc

并且缓存中有一张票:

$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting       Expires              Service principal
mm/dd/yyyy hh:mm:ss  mm/dd/yyyy hh:mm:ss  krbtgt/[email protected]
        renew until mm/dd/yyyy hh:mm:ss, Flags: FPRIA

客户端配置

在安装了“krb5-user”并将“/etc/krb5.conf”文件从服务器复制到的客户端上,我有以下配置:

/etc/hosts

127.0.0.1       localhost
192.168.1.2     client.domain.tld client
192.168.1.3     kdc.domain.tld kdc

/etc/resolv.conf

domain domain.tld
search domain.tld
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4

服务器可访问且名称可解析:

$ ping -c1 kdc.domain.tld (from the client Linux system):
PING kdc.domain.tld (192.168.1.3) 56(84) bytes of data.
64 bytes from kdc.domain.tld (192.168.1.3): icmp_seq=1 ttl=64 time=0.231 ms

--- kdc.domain.tld ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms

并且客户端上的防火墙也处于“关闭”状态:

$ iptables -S (on the KDC server, where I've disabled ufw):
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output

当我在客户端上运行 kinit 命令时,输出是:

$ KRB5_TRACE=/dev/stdout kinit -V
Using default cache: /tmp/krb5cc_1000
Using principal: [email protected]
Getting initial credentials for [email protected]
Sending request (175 bytes) to DOMAIN.TLD
Resolving hostname kdc.domain.tld
Sending initial UDP request to dgram 192.168.1.3:88
Resolving hostname kdc.domain.tld
Sending initial UDP request to dgram 192.168.1.3:750
Initiating TCP connection to stream 192.168.1.3:88
Terminating TCP connection to stream 192.168.1.3:88
kinit: Cannot contact any KDC for realm 'DOMAIN.TLD' while getting initial credentials

响应立即出现,看起来好像端口被阻止了,但两个系统上的防火墙都处于“关闭”状态。此外,日志文件中没有任何内容。客户端的 nmap 显示 Kerberos 端口不知何故已关闭。这是因为 KDC 服务不喜欢发送的消息吗?

$ nmap -v -A --version-all -p88 kdc.domain.tld
 ...
Nmap scan report for kdc.domain.tld (192.168.1.3)
Host is up (0.00043s latency).
PORT   STATE  SERVICE      VERSION
88/tcp closed kerberos-sec
 ...

相关内容