命令
sudo kprop -r MY.DOMAIN -f /var/lib/krb5kdc/slave_datatrans slave_kdc.my.domain
返回
kprop: Key table entry not found while getting initial credentials
这是在两台 Linux Debian 服务器上的新安装。 master_kdc 似乎可以工作,但我无法使数据库传播。我手动复制了数据库转储并将其加载到 slave_kdc 上,但传播仍然不起作用。
/etc/krb5.conf
[libdefaults]
default_realm = MY.DOMAIN
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MY.DOMAIN = {
kdc = master_kdc.my.domain
kdc = slave_kdc.my.domain
admin_server = master_kdc.my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
MY.DOMAIN = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/krb6kdc/kadm5/acl
john/[email protected] *
/etc/krb5kdc/kpropd.acl
host/[email protected]
host/[email protected]
我安装了 xinetd 并创建了以下文件,然后启用并启动了 xinetd 服务。/etc/xinetd.d/krb5_prop
service krb5_prop
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/kpropd
}
sudo cat /etc/services | grep krb5 的结果
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
krb5_prop 754/tcp krb-prop krb_prop hprop # Kerberos slave propagation
我复制数据库后在 master_kdc 和 slave_kdc 上生成了 /etc/krb5.keytab 文件。
kadmin: ktadd host/slave_kdc.my.domain
没有任何记录(我不知道为什么)。
/etc/bind/zones/db.my.domain
$TTL 604800
@ IN SOA master_kdc.my.domain. john.my.domain. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Name servers - NS records
@ IN NS master_kdc.my.domain.
@ IN NS slave_kdc.my.domain.
; Name servers - A records
master_kdc IN A AAA.BBB.CCC.DD1
slave_kdc IN A AAA.BBB.CCC.DD2
; Kerberos services
_kerberos._udp.MY.DOMAIN. IN SRV 1 0 88 master_kdc.my.domain.
_kerberos._tcp.MY.DOMAIN. IN SRV 1 0 88 master_kdc.my.domain.
_kerberos._udp.MY.DOMAIN. IN SRV 10 0 88 slave_kdc.my.domain.
_kerberos._tcp.MY.DOMAIN. IN SRV 10 0 88 slave_kdc.my.domain.
_kerberos-adm._tcp.MY.DOMAIN. IN SRV 1 0 749 master_kdc.my.domain.
_kpasswd._udp.MY.DOMAIN. IN SRV 1 0 464 master_kdc.my.domain.
/etc/bind/zones/db.AAA
$TTL 604800
@ IN SOA master_kdc.my.domain. john.my.domain. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Name servers - NS records
@ IN NS master_kdc.my.domain.
@ IN NS slave_kdc.my.domain.
master_kdc IN A AAA.BBB.CCC.DD1
slave_kdc IN A AAA.BBB.CCC.DD2
; Name servers - PTR records
DD1 IN PTR master_kdc.my.domain.
DD2 IN PTR slave_kdc.my.domain.
答案1
我花了几个小时来解决这个完全相同的问题。最后通过以下步骤解决了:
- 创建主主机主体“addprinc host/mastr.commain.com”
- 在主服务器上,将主主机主体“ktadd host/mastr.commain.com”添加到 keytab
显然,kprop 使用“kinit -k”来获取票证,并且只有当您在 keytab 中拥有主主机条目时才有效。