我想设置一个服务来使用 nagios 检查 kdc。使用我的 kdc (samba4),我使用此脚本创建用户
#!/bin/bash
USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv
samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDN
然后我将 keytab 复制到 nagios 服务器上并重新启动服务
scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagios
权限没问题
ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul 2 02:25 /etc/nagios/nagios.keytab
按键似乎还不错
klist -ke /etc/nagios/nagios.keytab
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nagioskerberos/[email protected] (aes256-cts-hmac-sha1-96)
但当我尝试检查时......
./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/[email protected] -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/[email protected]' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/[email protected] from /etc/nagios/nagios.keytab)
为什么?
这是服务器 samba4 和服务器 nagios 的 krb5.conf
[libdefaults]
default_realm = MYHOST.PRIV
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
答案1
找到解决方案。
首先我改变我的脚本
从
net ads enctypes set $USER 16
到
net ads enctypes set $USER 24
我重新创建了用户。
在导出标签并复制之前我做了这个
samba-tool user edit nagioskerberos
修改此行
userPrincipalName: nagioskerberos/[email protected]
出口..
复制 keytab,重新启动 nagios 并...
./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/[email protected] -H samba4 -P 88
OK