无法获取计算机帐户的凭据 - 在 Kerberos 数据库中未找到客户端

无法获取计算机帐户的凭据 - 在 Kerberos 数据库中未找到客户端

我已成功将一台 Ubuntu 机器(Ubuntu 20.04 LTS)加入 Active Directory。因此,我可以使用 AD-Accounts 登录,获取并续订用户的票据授予票据,并使用 Kerberos 身份验证访问网络共享。

然而,我很难获得计算机帐户的初始凭据:

admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
[sudo] password for admin:
[232252] 1645435537.855061: Getting initial credentials for host/[email protected]
[232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts
[232252] 1645435537.855064: Sending unauthenticated request
[232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN
[232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88
[232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88
[232252] 1645435537.855068: Response was from master KDC
[232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials

我在这个问题上花了几个小时却毫无进展。可能我遗漏了一些必要的步骤。请求的主体包含在 ubuntu 机器上的本地 keytab 中:

root@comp01:~$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 02/17/2022 07:34:59 [email protected] (arcfour-hmac)
   4 02/17/2022 07:34:59 [email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 [email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
   4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 host/[email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:34:59 host/[email protected] (arcfour-hmac)
   4 02/17/2022 07:34:59 host/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 host/[email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (arcfour-hmac)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes128-cts-hmac-sha1-96)
   4 02/17/2022 07:35:00 RestrictedKrbHost/[email protected] (aes256-cts-hmac-sha1-96)

并且主体也在AD域控制器上注册:

> setspn -L comp01
Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan:
            RestrictedKrbHost/comp01.company.lan
            host/comp01.company.lan
            RestrictedKrbHost/COMP01
            host/COMP01

Ubuntu 计算机已使用以下方式加入 AD 域

> realm join company.lan

Kerberos配置文件如下:

[libdefaults]
        default_realm = COMPANY.LAN
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        COMPANY.LAN = {
                kdc = DC.company.lan
                admin_server = DC.company.lan
                default_domain = company.lan
        }
[domain_realm]
        .company.lan = COMPANY.LAN
        company.lan = COMPANY.LAN

正向和反向 DNS 看起来也不错:

> nslookup comp01
Server:  DC.company.lan
Address:  172.27.17.41

Name:    comp01.company.lan
Address:  172.27.17.131

> nslookup 172.27.17.131
Server:  DC.company.lan
Address:  172.27.17.41

Name:    comp01.company.lan
Address:  172.27.17.131

我真的很感谢任何能引导我走向正确方向的提示。

答案1

对于 Active Directory 风格的 Kerberos,存在“用户”(客户端)和“服务”(目标)主体名称之间的区别。具体来说,仅有的该账户的 sAMAccountName 可以充当客户端主体,但其 SPN 不能。

计算机对象的帐户名始终是大写的主机名并以 为后缀$,例如,名为“COMP01”的计算机的帐户名将是COMP01$

同时host/comp01host/comp01.company.lan仅存在服务主体 – AD KDC 将为请求“host/comp01”作为目标服务器的客户端签发票证,但不允许它们在初始身份验证期间充当客户端。它们存在于您的密钥表中,仅供“接受者”端使用。

相关内容