我正在 CentOS 7.6 上配置 SSSD+Samba+SSH。到目前为止,我已设法使所有 3 个至少正常工作。SSSD 已使用 进行配置和加入realm join
。Samba 已通过 进行配置并连接到 AD net ads join
。但是,由于某种原因,我无法让 GSSAPI 身份验证与此组合配合使用。SSH 会不断抱怨 keytab 票证问题。首先,我注意到 kvno 号码不同步。SSH 正在尝试使用kvno 2
,而服务器有kvno 4
。这导致 GSSAPI 身份验证失败并默认为密码登录,这有效。
安全日志
Apr 13 01:33:17 test-server sshd[10827]: debug1: Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/[email protected] kvno 2 not found in keytab; ticket is likely out of date\n
列表-kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 04/13/2019 01:21:34 [email protected]
4 04/13/2019 01:21:34 [email protected]
4 04/13/2019 01:21:34 [email protected]
4 04/13/2019 01:21:34 [email protected]
4 04/13/2019 01:21:34 [email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 host/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 host/[email protected]
5 04/13/2019 01:27:02 [email protected]
5 04/13/2019 01:27:02 [email protected]
5 04/13/2019 01:27:02 [email protected]
5 04/13/2019 01:27:02 [email protected]
5 04/13/2019 01:27:02 [email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
我确定这是因为我没有从 AD 中删除计算机对象,尽管我不知道为什么 SSH 不尝试匹配当前的 kvno。我验证了 AD 返回了正确的数字。删除计算机对象后,我重复了加入的步骤。它重新创建了计算机对象并将 kvno 重置为 2。但是,现在 SSH 抱怨 keytab 条目是使用加密的aes256-cts
并且无法解密。
安全日志
Apr 13 02:01:35 test-server sshd[13788]: debug1: Unspecified GSS failure. Minor code may provide more information\nRequest ticket server host/[email protected] kvno 2 enctype aes256-cts found i n keytab but cannot decrypt ticket\n
列表-kt-e
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 04/13/2019 02:00:54 [email protected] (des-cbc-crc)
2 04/13/2019 02:00:54 [email protected] (des-cbc-md5)
2 04/13/2019 02:00:54 [email protected] (arcfour-hmac)
2 04/13/2019 02:00:54 [email protected] (aes128-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 [email protected] (aes256-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 host/[email protected] (des-cbc-crc)
2 04/13/2019 02:00:54 host/[email protected] (des-cbc-md5)
2 04/13/2019 02:00:54 host/[email protected] (arcfour-hmac)
2 04/13/2019 02:00:54 host/[email protected] (aes128-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 host/[email protected] (aes256-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 host/[email protected] (des-cbc-crc)
2 04/13/2019 02:00:54 host/[email protected] (des-cbc-md5)
2 04/13/2019 02:00:54 host/[email protected] (arcfour-hmac)
2 04/13/2019 02:00:54 host/[email protected] (aes128-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 host/[email protected] (aes256-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-crc)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-md5)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (arcfour-hmac)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-crc)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-md5)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (arcfour-hmac)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (arcfour-hmac)
3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (arcfour-hmac)
3 04/13/2019 02:01:10 host/[email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 host/[email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 host/[email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 host/[email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 host/[email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 host/[email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 host/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 host/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 host/[email protected] (arcfour-hmac)
3 04/13/2019 02:01:10 host/[email protected] (arcfour-hmac)
3 04/13/2019 02:01:10 [email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 [email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 [email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 [email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 [email protected] (arcfour-hmac)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-crc)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-md5)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (arcfour-hmac)
3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (arcfour-hmac)
那么我到底做错了什么? SSH 是否应该始终使用kvno 2
? 密钥表条目应该采用什么加密才能让 SSH 能够读取它? 我该如何配置加密?
答案1
听起来只要用户输入名称和密码,域用户名和密码身份验证就可以正常工作。正如您所发现的,GSSAPI 身份验证有点棘手。
返回什么kinit -k $( hostname -f )@EXAMPLE.COM
?
为了重置机器密码,我喜欢使用 msktutil(来自 EPEL):
kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\[email protected]"
来源:我的博客文章:https://bgstack15.wordpress.com/2018/09/06/kerberos-notes-and-sssd-internal-credentials-cache-error/