Microsoft Active Directory Kerberos 返回未知主体

Microsoft Active Directory Kerberos 返回未知主体

我正在尝试对 kbr5p nfs 挂载的主机进行身份验证,其中 Microsoft active directory 充当 Kerberos 服务器。

sudo kinit -k -t /etc/krb5.keytab host/[email protected]
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials

但在 Active Directory 中以下命令有效

PS C:\Program Files\vmware\VMware OVF Tool> setspn -l ROBODAROBODA
Registered ServicePrincipalNames for CN=ROBODAROBODA,CN=Computers,DC=example,DC=com:
        host/[email protected]
        HOST/robodaroboda.example.com
        HOST/ROBODAROBODA

在数据包跟踪中,观察到未知的主要错误。请求:

    Kerberos AS-REQ
        Record Mark: 202 bytes
            0... .... .... .... .... .... .... .... = Reserved: Not set
            .000 0000 0000 0000 0000 0000 1100 1010 = Record Length: 202
        Pvno: 5
        MSG Type: AS-REQ (10)
        padata: Unknown:149
            Type: Unknown (149)
                Value: <MISSING>
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 00000010 (Renewable OK)
                .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt using the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
 Client Name (Principal): host/ROBODAROBODA
            Name-type: Principal (1)
            Name: host
            Name: ROBODAROBODA
            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.COM
            till: 2020-04-05 18:37:06 (UTC)
            Nonce: 407713677
            Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5-nt 19 des3-cbc-sha1 rc4-hmac 25 26
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: aes128-cts-hmac-sha1-96 (17)
                Encryption type: des-cbc-md5-nt (20)
                Encryption type: Unknown (19)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: Unknown (25)
                Encryption type: Unknown (26)

回复:

Kerberos KRB-ERROR
    Record Mark: 112 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not set
        .000 0000 0000 0000 0000 0000 0111 0000 = Record Length: 112
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2020-04-04 18:37:06 (UTC)
    susec: 931508
    error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
    Realm: EXAMPLE.COM
    Server Name (Service and Instance): krbtgt/EXAMPLE.COM
        Name-type: Service and Instance (2)
        Name: krbtgt
        Name: EXAMPLE.COM

谁能帮助我理解为什么我会看到未知的主体错误?

答案1

添加主机后的问题/[电子邮件保护]到机器帐户的 UserPrincipalName 属性。kinit 正在运行。

相关内容