SSSD+Samba+SSH GSSAPI 身份验证问题

tag-icon tag-icon ssh centos7 kerberos sssd
SSSD+Samba+SSH GSSAPI 身份验证问题

我正在 CentOS 7.6 上配置 SSSD+Samba+SSH。到目前为止,我已设法使所有 3 个至少正常工作。SSSD 已使用 进行配置和加入realm join。Samba 已通过 进行配置并连接到 AD net ads join。但是,由于某种原因,我无法让 GSSAPI 身份验证与此组合配合使用。SSH 会不断抱怨 keytab 票证问题。首先,我注意到 kvno 号码不同步。SSH 正在尝试使用kvno 2,而服务器有kvno 4。这导致 GSSAPI 身份验证失败并默认为密码登录,这有效。

安全日志

Apr 13 01:33:17 test-server sshd[10827]: debug1: Unspecified GSS failure.  Minor code may provide more information\nRequest ticket server host/[email protected] kvno 2 not found in keytab; ticket is likely out of date\n

列表-kt

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 [email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 host/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   4 04/13/2019 01:21:34 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 restrictedkrbhost/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 host/[email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 [email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]
   5 04/13/2019 01:27:02 RestrictedKrbHost/[email protected]

我确定这是因为我没有从 AD 中删除计算机对象,尽管我不知道为什么 SSH 不尝试匹配当前的 kvno。我验证了 AD 返回了正确的数字。删除计算机对象后,我重复了加入的步骤。它重新创建了计算机对象并将 kvno 重置为 2。但是,现在 SSH 抱怨 keytab 条目是使用加密的aes256-cts并且无法解密。

安全日志

Apr 13 02:01:35 test-server sshd[13788]: debug1: Unspecified GSS failure.  Minor code may provide more information\nRequest ticket server host/[email protected] kvno 2 enctype aes256-cts found i   n keytab but cannot decrypt ticket\n

列表-kt-e

Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/13/2019 02:00:54 [email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 [email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 [email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 [email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 [email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 host/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 host/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 host/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 host/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 host/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 host/[email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-crc)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (des-cbc-md5)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (arcfour-hmac)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   2 04/13/2019 02:00:54 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 restrictedkrbhost/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 host/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 host/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 host/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 host/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 [email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 [email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 [email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 [email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 [email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-crc)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (des-cbc-md5)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (arcfour-hmac)
   3 04/13/2019 02:01:10 RestrictedKrbHost/[email protected] (arcfour-hmac)

那么我到底做错了什么? SSH 是否应该始终使用kvno 2? 密钥表条目应该采用什么加密才能让 SSH 能够读取它? 我该如何配置加密?

答案1

听起来只要用户输入名称和密码,域用户名和密码身份验证就可以正常工作。正如您所发现的,GSSAPI 身份验证有点棘手。

返回什么kinit -k $( hostname -f )@EXAMPLE.COM

为了重置机器密码,我喜欢使用 msktutil(来自 EPEL):

kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\[email protected]"

来源:我的博客文章:https://bgstack15.wordpress.com/2018/09/06/kerberos-notes-and-sssd-internal-credentials-cache-error/

相关内容