我在执行 ssh 时尝试验证我的 Kerberos 凭证,但失败了从加入 Windows Server 2019 域的 Windows 11 客户端(我们称之为AD.LOCAL)到加入由 FreeIPA 管理的域的 Linux 主机(我们称之为IPA.LOCAL)。
我已经建立了“森林”信任关系,为了解决问题,我验证了如果我更改客户端(到 Linux)或目标(到同一域上的主机),它就可以起作用。
为了演示该问题,命令输出被精简以简洁,并且主机和 IP 被匿名化。
❌ 来自视窗到国际音标协会 (IPA)主持人:
PS C:\Users\user> ssh -v -K -l [email protected] host02.ipa.local
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
...
debug1: Authenticating to host02.ipa.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: GSS_S_FAILURE
debug1: Next authentication method: publickey
...
✅ 来自视窗到广告主持人:
PS C:\Users\user> ssh -v -K -l [email protected] host01.ad.local
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
...
debug1: Authenticating to host01.ad.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: sspi delegation was requested but not fulfilled
debug1: Delegating credentials
debug1: sspi delegation was requested but not fulfilled
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host01.ad.local ([192.168.0.62]:22).
...
✅ 来自Linux到国际音标协会 (IPA)主持人:
$ ssh -v -K -l [email protected] host02.ipa.local
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
...
debug1: Authenticating to host02.ipa.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host02.ipa.local ([192.168.0.181]:22).
...
✅ 来自Linux到广告主持人:
$ ssh -v -K -l [email protected] host01.ad.local
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
...
debug1: Authenticating to host01.ad.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host01.ad.local ([192.168.0.62]:22).
...
运行上述命令后我的票数:
Windows 票:
PS C:\Users\user> klist
Current LogonId is 0:0xe934d3
Cached Tickets: (2)
#0> Client: user @ AD.LOCAL
Server: krbtgt/AD.LOCAL @ AD.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 6/17/2022 14:55:54 (local)
End Time: 6/18/2022 0:55:54 (local)
Renew Time: 6/24/2022 14:55:54 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: dc02.ad.local
#1> Client: user @ AD.LOCAL
Server: host/host01.ad.local @ AD.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 6/17/2022 14:55:54 (local)
End Time: 6/18/2022 0:55:54 (local)
Renew Time: 6/24/2022 14:55:54 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dc02.ad.local
Linux 票证:
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]
Valid starting Expires Service principal
06/17/2022 14:31:40 06/18/2022 00:30:36 host/host02.ipa.local@
renew until 06/18/2022 14:30:34
Ticket server: host/[email protected]
06/17/2022 14:31:39 06/18/2022 00:30:36 krbtgt/[email protected]
renew until 06/18/2022 14:30:34
06/17/2022 14:31:09 06/18/2022 00:30:36 host/host01.ad.local@
renew until 06/18/2022 14:30:34
Ticket server: host/[email protected]
06/17/2022 14:30:36 06/18/2022 00:30:36 krbtgt/[email protected]
renew until 06/18/2022 14:30:34
为了完整起见,我对 Linux 机器上的东西不感兴趣/etc/krb5.conf,我故意把几乎所有的东西都注释掉了。
$ grep -v \# /etc/krb5.conf
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
操作系统版本
Windows 客户端:
PS C:\Users\user> cmd /c ver
Microsoft Windows [Version 10.0.22000.675]
Linux 客户端:
$ lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: Rocky
Description: Rocky Linux release 8.6 (Green Obsidian)
Release: 8.6
Codename: GreenObsidian
更新以回答评论中的问题:
视窗客户:
$ klist get host/host02.ipa.local
Current LogonId is 0:0xe934d3
Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x6fb
klist failed with 0xc000018b/-1073741429: The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
注意:信任配置为“外部”类型。
Linux客户端根本没有安装 sssd。
$ rpm -qa sss\* | grep . ; echo $?
1
但为了完整性:
$ env SSSD_KRB5_LOCATOR_DISABLE=1 kvno host/host02.ipa.local
kvno: Configuration file does not specify default realm while parsing principal name host/host02.ipa.local
现在,这让我认为 Linux 客户端工具在解析主机名凭据方面的行为有所不同。例如,以下命令,当被告知所需凭据是主机名时,它会成功并krbtgt从 AD.LOCAL 获取 IPA.LOCAL,然后转到 IPA.LOCAL 服务器获取票证:
$ env SSSD_KRB5_LOCATOR_DISABLE=1 kvno -S host host02.ipa.local
host/host02.ipa.local@: kvno = 1
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]
Valid starting Expires Service principal
06/20/2022 11:57:32 06/20/2022 21:56:38 host/host02.ipa.local@
renew until 06/21/2022 11:56:34
Ticket server: host/[email protected]
06/20/2022 11:57:32 06/20/2022 21:56:38 krbtgt/[email protected]
renew until 06/21/2022 11:56:34
06/20/2022 11:56:38 06/20/2022 21:56:38 krbtgt/[email protected]
renew until 06/21/2022 11:56:34
PS 更新了描述,因为我们将信任从“外部”类型升级为“森林”类型。问题依然存在。