我的 nagios kdc 配置有什么问题?

我的 nagios kdc 配置有什么问题?

我想设置一个服务来使用 nagios 检查 kdc。使用我的 kdc (samba4),我使用此脚本创建用户

#!/bin/bash

USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv

samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDN

然后我将 keytab 复制到 nagios 服务器上并重新启动服务

scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagios

权限没问题

ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul  2 02:25 /etc/nagios/nagios.keytab

按键似乎还不错

klist -ke /etc/nagios/nagios.keytab 
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nagioskerberos/[email protected] (aes256-cts-hmac-sha1-96) 

但当我尝试检查时......

./check_kdc -k /etc/nagios/nagios.keytab  -p nagioskerberos/[email protected] -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/[email protected]' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/[email protected] from /etc/nagios/nagios.keytab)

为什么?

这是服务器 samba4 和服务器 nagios 的 krb5.conf

[libdefaults]
    default_realm = MYHOST.PRIV
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

答案1

找到解决方案。

首先我改变我的脚本

net ads enctypes set $USER 16

net ads enctypes set $USER 24

我重新创建了用户。

在导出标签并复制之前我做了这个

samba-tool user edit nagioskerberos

修改此行

userPrincipalName: nagioskerberos/[email protected]

出口..

复制 keytab,重新启动 nagios 并...

./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/[email protected] -H samba4 -P 88
OK

相关内容