我正在尝试对 kbr5p nfs 挂载的主机进行身份验证,其中 Microsoft active directory 充当 Kerberos 服务器。
sudo kinit -k -t /etc/krb5.keytab host/[email protected]
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials
但在 Active Directory 中以下命令有效
PS C:\Program Files\vmware\VMware OVF Tool> setspn -l ROBODAROBODA
Registered ServicePrincipalNames for CN=ROBODAROBODA,CN=Computers,DC=example,DC=com:
host/[email protected]
HOST/robodaroboda.example.com
HOST/ROBODAROBODA
在数据包跟踪中,观察到未知的主要错误。请求:
Kerberos AS-REQ
Record Mark: 202 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 1100 1010 = Record Length: 202
Pvno: 5
MSG Type: AS-REQ (10)
padata: Unknown:149
Type: Unknown (149)
Value: <MISSING>
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt using the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Client Name (Principal): host/ROBODAROBODA
Name-type: Principal (1)
Name: host
Name: ROBODAROBODA
Server Name (Service and Instance): krbtgt/EXAMPLE.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: EXAMPLE.COM
till: 2020-04-05 18:37:06 (UTC)
Nonce: 407713677
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5-nt 19 des3-cbc-sha1 rc4-hmac 25 26
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des-cbc-md5-nt (20)
Encryption type: Unknown (19)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: Unknown (25)
Encryption type: Unknown (26)
回复:
Kerberos KRB-ERROR
Record Mark: 112 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 0111 0000 = Record Length: 112
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2020-04-04 18:37:06 (UTC)
susec: 931508
error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
Realm: EXAMPLE.COM
Server Name (Service and Instance): krbtgt/EXAMPLE.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: EXAMPLE.COM
谁能帮助我理解为什么我会看到未知的主体错误?
答案1
添加主机后的问题/[电子邮件保护]到机器帐户的 UserPrincipalName 属性。kinit 正在运行。