输入密码后无法使用 kadmin 命令。list_principals 和 klist 返回输出“true”,但没有有关票证的信息。
关于票证的信息和在 kadmin 界面中输入命令的选项在哪里?
:~$ kadmin
Authenticating as principal norbert/admin@ubunturealm with password.
kadmin: true while initializing kadmin interface
:~$ klist
klist: true
:~$ kinit
kinit: true while getting initial credentials
:~$
krb5配置文件
:/etc$ cat krb5.conf
[libdefaults]
default_realm = ubunturealm
dns_lookup_realm = true
dns_lookup_kdc = true
dns_canonicalize_hostname = true
dns_uri_lookup = true
rdns = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
clockskew = 300s
default_ccache_name = DEFCCNAME
default_client_keytab_name = DEFCKTNAME
default_keytab_name = DEFKTNAME
#default_tgs_enctypes =
#default_tks_enctypes =
enforce_ok_as_delagate = true
err_fmt = true
extra_addresses = true
# SPRAWDZ MULTIHOMED HOSTNAMES i VIRTUAL HOSTING ENV zanim to ustawisz
#ignore_acceptor_hostname = true
k5login_authoritative = true
k5login_directory = true
#on mac os only kcm_mach_service
#on mac os only kcm_socket
#kdc_default_options = 0x00000010
kdc_timesync = 1
#noaddresses = true
#permitted_enctypes =
plugin_base_dir = krb5/plugins
#preferred_preauth_types = 17, 16, 14, 14
#qualify_shortname
#realm_try_domains =
#renew_lifetime = 0
spake_preauth_groups = edwards25519
ticket_lifetime = 1d
#ustalic ile potrzeba na udp_preference_limit =
# trzeba ogarnac to z keytabem na kliencie i na serwerze
# zwiazek z keytabem verify_ap_req_nofail = false
allow_des3 = false
allow_rc4 = false
allow_weak_crypto = false
canonicalize = true
client_aware_channel_bindings = true
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ubunturealm = {
kdc = serverkerberos
admin_server = adminserverkerberos
default_domain = ubuntuserver
# auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/}
}
#ATHENA.MIT.EDU = {
# kdc = kerberos.mit.edu
# kdc = kerberos-1.mit.edu
# kdc = kerberos-2.mit.edu:88
# admin_server = kerberos.mit.edu
# default_domain = mit.edu
#}
#ZONE.MIT.EDU = {
# kdc = casio.mit.edu
# kdc = seiko.mit.edu
# admin_server = casio.mit.edu
#}
#SAIL.MIT.EDU = {
# admin_server = kerberos.csail.mit.edu
# default_domain = csail.mit.edu
#}
#IHTFP.ORG = {
# kdc = kerberos.ihtfp.org
# admin_server = kerberos.ihtfp.org
#}
#TS.ORG = {
# kdc = kerberos.1ts.org
# admin_server = kerberos.1ts.org
#}
#ANDREW.CMU.EDU = {
# admin_server = kerberos.andrew.cmu.edu
# default_domain = andrew.cmu.edu
#}
#CS.CMU.EDU = {
# kdc = kerberos-1.srv.cs.cmu.edu
# kdc = kerberos-2.srv.cs.cmu.edu
# kdc = kerberos-3.srv.cs.cmu.edu
# admin_server = kerberos.cs.cmu.edu
#}
#DEMENTIA.ORG = {
# kdc = kerberos.dementix.org
# kdc = kerberos2.dementix.org
# admin_server = kerberos.dementix.org
#}
#stanford.edu = {
# kdc = krb5auth1.stanford.edu
# kdc = krb5auth2.stanford.edu
# kdc = krb5auth3.stanford.edu
# master_kdc = krb5auth1.stanford.edu
# admin_server = krb5-admin.stanford.edu
# default_domain = stanford.edu
#}
#UTORONTO.CA = {
# kdc = kerberos1.utoronto.ca
# kdc = kerberos2.utoronto.ca
# kdc = kerberos3.utoronto.ca
# admin_server = kerberos1.utoronto.ca
# default_domain = utoronto.ca
#}
[domain_realm]
#.mit.edu = ATHENA.MIT.EDU
#mit.edu = ATHENA.MIT.EDU
#.media.mit.edu = MEDIA-LAB.MIT.EDU
#media.mit.edu = MEDIA-LAB.MIT.EDU
#.csail.mit.edu = CSAIL.MIT.EDU
#csail.mit.edu = CSAIL.MIT.EDU
#.whoi.edu = ATHENA.MIT.EDU
#whoi.edu = ATHENA.MIT.EDU
#.stanford.edu = stanford.edu
#.slac.stanford.edu = SLAC.STANFORD.EDU
#.toronto.edu = UTORONTO.CA
#.utoronto.ca = UTORONTO.CA
系统控制
● krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; preset: ena>
Active: active (running) since Sun 2024-03-10 09:45:33 UTC; 6min ago
Main PID: 824 (krb5kdc)
Tasks: 1 (limit: 5673)
Memory: 1.3M
CPU: 35ms
CGroup: /system.slice/krb5-kdc.service
└─824 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
Mar 10 09:45:33 ubuntuserver krb5kdc[754]: Setting pktinfo on socket ::.88
Mar 10 09:45:33 ubuntuserver krb5kdc[754]: Setting up TCP socket for address 0.>
Mar 10 09:45:33 ubuntuserver krb5kdc[754]: Setting up TCP socket for address ::>
Mar 10 09:45:33 ubuntuserver krb5kdc[754]: setsockopt(14,IPV6_V6ONLY,1) worked
Mar 10 09:45:33 ubuntuserver krb5kdc[754]: set up 6 sockets
Mar 10 09:45:33 ubuntuserver systemd[1]: krb5-kdc.service: Can't open PID file >
Mar 10 09:45:33 ubuntuserver krb5kdc[824]: commencing operation
Mar 10 09:45:33 ubuntuserver systemd[1]: Started krb5-kdc.service - Kerberos 5 >
Mar 10 09:47:07 ubuntuserver krb5kdc[824]: AS_REQ (8 etypes {aes256-cts-hmac-sh>
Mar 10 09:47:19 ubuntuserver krb5kdc[824]: AS_REQ (8 etypes {aes256-cts-hmac-sh>
系统日志
2024-03-10T10:14:24.376053+00:00 ubuntuserver systemd[1]: Started krb5-kdc.service - Kerberos 5 Key Distribution Center.
2024-03-10T10:14:59.038335+00:00 ubuntuserver krb5kdc[5630]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.1.16: NEEDED_PREAUTH: root/admin@ubunturealm for kadmin/admin@ubunturealm, true
2024-03-10T10:15:00.889791+00:00 ubuntuserver krb5kdc[5630]: preauth (encrypted_timestamp) verify failure: true
2024-03-10T10:15:00.889855+00:00 ubuntuserver krb5kdc[5630]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.1.16: PREAUTH_FAILED: root/admin@ubunturealm for kadmin/admin@ubunturealm, true
