我已成功将一台 Ubuntu 机器(Ubuntu 20.04 LTS)加入 Active Directory。因此,我可以使用 AD-Accounts 登录,获取并续订用户的票据授予票据,并使用 Kerberos 身份验证访问网络共享。
然而,我很难获得计算机帐户的初始凭据:
admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
[sudo] password for admin:
[232252] 1645435537.855061: Getting initial credentials for host/[email protected]
[232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts
[232252] 1645435537.855064: Sending unauthenticated request
[232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN
[232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88
[232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88
[232252] 1645435537.855068: Response was from master KDC
[232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials
我在这个问题上花了几个小时却毫无进展。可能我遗漏了一些必要的步骤。请求的主体包含在 ubuntu 机器上的本地 keytab 中:
root@comp01:~$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 02/17/2022 07:34:59 [email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 [email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 [email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 host/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
并且主体也在AD域控制器上注册:
> setspn -L comp01
Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan:
RestrictedKrbHost/comp01.company.lan
host/comp01.company.lan
RestrictedKrbHost/COMP01
host/COMP01
Ubuntu 计算机已使用以下方式加入 AD 域
> realm join company.lan
Kerberos配置文件如下:
[libdefaults]
default_realm = COMPANY.LAN
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
COMPANY.LAN = {
kdc = DC.company.lan
admin_server = DC.company.lan
default_domain = company.lan
}
[domain_realm]
.company.lan = COMPANY.LAN
company.lan = COMPANY.LAN
正向和反向 DNS 看起来也不错:
> nslookup comp01
Server: DC.company.lan
Address: 172.27.17.41
Name: comp01.company.lan
Address: 172.27.17.131
> nslookup 172.27.17.131
Server: DC.company.lan
Address: 172.27.17.41
Name: comp01.company.lan
Address: 172.27.17.131
我真的很感谢任何能引导我走向正确方向的提示。
答案1
对于 Active Directory 风格的 Kerberos,存在“用户”(客户端)和“服务”(目标)主体名称之间的区别。具体来说,仅有的该账户的 sAMAccountName 可以充当客户端主体,但其 SPN 不能。
计算机对象的帐户名始终是大写的主机名并以 为后缀$
,例如,名为“COMP01”的计算机的帐户名将是COMP01$
。
同时host/comp01
且host/comp01.company.lan
仅存在服务主体 – AD KDC 将为请求“host/comp01”作为目标服务器的客户端签发票证,但不允许它们在初始身份验证期间充当客户端。它们存在于您的密钥表中,仅供“接受者”端使用。