Active Directory 与 Active Directory 信任

tag-icon tag-icon active-directory apache-2.4 kerberos trust-relationship
Active Directory 与 Active Directory 信任

我们有2个林/域:ad.local(不由我们管理)和 ad2.local(由我们管理)

我们在他们之间建立了双向信任。

现在假设我在服务器上有一个应用程序加入到 ad2.local :应用程序.ad2.本地

此应用程序接受 LDAP 或 Kerberos(使用 apache)

据我所知,无法通过 LDAP 查询受信任的用户(如果我错了请纠正我),因此我们使用 kerberos。

到目前为止,我已经设法使用来自 ad2.local 的用户登录,但还不能使用来自 ad.local 的用户登录。

当我尝试使用 ad.local 的用户登录时出现以下错误:

[Thu Mar 19 11:07:48.155074 2020] [authz_core:debug] [pid 20267] mod_authz_core.c(809): [client IP:33274] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Mar 19 11:07:48.155213 2020] [authz_core:debug] [pid 20267] mod_authz_core.c(809): [client IP:33274] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Mar 19 11:07:48.155248 2020] [auth_kerb:debug] [pid 20267] src/mod_auth_kerb.c(1954): [client IP:33274] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Mar 19 11:07:55.188879 2020] [authz_core:debug] [pid 3421] mod_authz_core.c(809): [client IP:33346] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Mar 19 11:07:55.188985 2020] [authz_core:debug] [pid 3421] mod_authz_core.c(809): [client IP:33346] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Mar 19 11:07:55.189019 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1954): [client IP:33346] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Mar 19 11:07:56.083017 2020] [authz_core:debug] [pid 3421] mod_authz_core.c(809): [client IP:33346] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Mar 19 11:07:56.083102 2020] [authz_core:debug] [pid 3421] mod_authz_core.c(809): [client IP:33346] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Mar 19 11:07:56.083137 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1954): [client IP:33346] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Mar 19 11:07:56.083286 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1295): [client IP:33346] Acquiring creds for HTTP@APP_FQDN
[Thu Mar 19 11:07:56.087966 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1708): [client IP:33346] Verifying client data using KRB5 GSS-API
[Thu Mar 19 11:07:56.088023 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1724): [client IP:33346] Client didn't delegate us their credential
[Thu Mar 19 11:07:56.088038 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1752): [client IP:33346] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Thu Mar 19 11:07:56.088053 2020] [auth_kerb:debug] [pid 3421] src/mod_auth_kerb.c(1155): [client IP:33346] GSS-API major_status:00010000, minor_status:00000000
[Thu Mar 19 11:07:56.088182 2020] [auth_kerb:error] [pid 3421] [client IP:33346] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

这是我的 Apache 配置:

<Location /application>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd  On
  KrbSaveCredentials Off
  KrbAuthRealms AD.LOCAL AD2.LOCAL
  Krb5KeyTab /etc/kerberos.keytab
  KrbLocalUserMapping On
  require valid-user
</Location>

和 etc/krb5.conf :

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = AD2.LOCAL
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 AD2.LOCAL = {
  kdc = dc.AD2.LOCAL
#  auth_to_local = RULE:[1:$1@$0](^.*@AD.LOCAL$)s/@AD.LOCAL/@ad.local/
#  auth_to_local = DEFAULT
 }

 AD.LOCAL = {
  kdc = master.ad.local
}

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 ad2.local = AD2.LOCAL
 .ad2.local = AD2.LOCAL
 ad.local  = AD.LOCAL
 .ad.local = AD.LOCAL

有人知道可能是什么问题吗?

答案1

问题有两个。要么是实验室客户端无法使用ad.local您输入的凭据解析 DC,因此它返回到 NTLM。它能够解析 DC,ad2.local因此它能够执行 Kerberos。或者请求ad.local没有足够的信息让它知道将您引向其他域。

在未加入的 Windows 客户端上,Windows 将尝试通过查看您输入的凭据来解析域,并使用领域部分作为提示。如果您输入,[email protected]它将尝试使用 DNS SRV 查找 DC _kerberos._tcp.ad.local。如果您输入ad\user,客户端(可能)没有足够的信息来构建成功的 DNS 查询,因此它会退回到 NTLM。

假设成功并且您能够ad.local正确解析,那么该 DC 现在需要知道它应该向哪个应用程序发出票证。 Windows 将使用请求的主机名并将其发送到ad.local。 如果输入的主机名为app,则 DC 将找不到任何记录并返回服务未找到错误(这会导致客户端回退到 NTLM)。 如果输入的名称是 ,app.ad2.local则 DC 应该识别.ad2.local后缀(因为它是在信任上配置的)并启动引用,ad2.local然后将向您发出票证app.ad2.local

使用完全限定名称应该会有所帮助。如果这不起作用,forest search orderad.local域上启用也会有所帮助。

否则,我建议在客户端计算机上执行网络跟踪(Wireshark)并观察它尝试与 DC 通信时的流量。

相关内容