Kerberos 迁移问题 - Ubuntu 服务器

2024-6-2 • tag-icon

我们正在将活动目录从 Debian 服务器迁移到 Ubuntu。LDAP (Slapd)、libnss、kerberos、pam 和 nfs 已配置。然而，在客户端登录尝试时，服务器会发出 Kerberos 错误。

Kerberos 已通过 apt 安装迁移。然后，我们将以下文件从旧服务器复制到新服务器；krb5.conf、、krb5.keytab目录krb5kdc和/var/lib/krb5kdc目录。

Sep 17 17:50:01 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.90: NEEDED_PREAUTH: n.dajnowski@CS for krbtgt/CS@CS, Additional pre-authentication required
Sep 17 17:50:01 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.90: ISSUE: authtime 1694973001, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, n.dajnowski@CS for krbtgt/CS@CS
Sep 17 17:50:01 cs2s krb5kdc[2383]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.90: ISSUE: authtime 1694973001, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, n.dajnowski@CS for host/cs2s.cs@CS
Sep 17 17:50:35 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.254: NEEDED_PREAUTH: test@CS for krbtgt/CS@CS, Additional pre-authentication required
Sep 17 17:50:35 cs2s krb5kdc[2383]: preauth (encrypted_timestamp) verify failure: Preauthentication failed
Sep 17 17:50:35 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.254: PREAUTH_FAILED: test@CS for krbtgt/CS@CS, Preauthentication failed

客户端闪现黑屏并返回登录。我们也在旧服务器上测试了这一点，并在成功登录后在日志中收到以下消息。

来自旧服务器的成功登录日志：

我确实注意到旧服务器有cs2s.cs@CS而不是CS@CS。由于我对这项技术还比较陌生，请问有人能建议如何正确配置新服务器吗？

相关内容