kinit、kadmin、klist 输出错误

kinit、kadmin、klist 输出错误

输入密码后无法使用 kadmin 命令。list_principals 和 klist 返回输出“true”,但没有有关票证的信息。

关于票证的信息和在 kadmin 界面中输入命令的选项在哪里?

:~$ kadmin
Authenticating as principal norbert/admin@ubunturealm with password.
kadmin: true while initializing kadmin interface
:~$ klist
klist: true
:~$ kinit
kinit: true while getting initial credentials
:~$ 

krb5配置文件

:/etc$ cat krb5.conf
[libdefaults]
default_realm = ubunturealm
dns_lookup_realm = true
dns_lookup_kdc = true
dns_canonicalize_hostname = true
dns_uri_lookup = true 
rdns = true 
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
clockskew = 300s
default_ccache_name = DEFCCNAME
default_client_keytab_name = DEFCKTNAME
default_keytab_name = DEFKTNAME
#default_tgs_enctypes = 
#default_tks_enctypes = 
enforce_ok_as_delagate = true
err_fmt = true
extra_addresses = true
# SPRAWDZ MULTIHOMED HOSTNAMES i VIRTUAL HOSTING ENV zanim to ustawisz
#ignore_acceptor_hostname = true
k5login_authoritative = true
k5login_directory = true
#on mac os only kcm_mach_service 
#on mac os only kcm_socket
#kdc_default_options = 0x00000010
kdc_timesync = 1
#noaddresses = true
#permitted_enctypes =
plugin_base_dir = krb5/plugins
#preferred_preauth_types = 17, 16, 14, 14
#qualify_shortname
#realm_try_domains = 
#renew_lifetime = 0
spake_preauth_groups = edwards25519
ticket_lifetime = 1d
#ustalic ile potrzeba na udp_preference_limit = 
# trzeba ogarnac to z keytabem na kliencie i na serwerze 
# zwiazek z keytabem verify_ap_req_nofail = false
allow_des3 = false
allow_rc4 = false 
allow_weak_crypto = false
canonicalize = true
client_aware_channel_bindings = true


 # The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true

 [realms]
ubunturealm = {
    kdc = serverkerberos
    admin_server = adminserverkerberos
    default_domain = ubuntuserver
#   auth_to_local =  RULE:[2:$2](^.*;root)s/^.*$/root/}
}

#ATHENA.MIT.EDU = {
#   kdc = kerberos.mit.edu
#   kdc = kerberos-1.mit.edu
#   kdc = kerberos-2.mit.edu:88
#   admin_server = kerberos.mit.edu
#   default_domain = mit.edu
#}
#ZONE.MIT.EDU = {
#   kdc = casio.mit.edu
#   kdc = seiko.mit.edu
#   admin_server = casio.mit.edu
#}
#SAIL.MIT.EDU = {
#   admin_server = kerberos.csail.mit.edu
#   default_domain = csail.mit.edu
#}
#IHTFP.ORG = {
#   kdc = kerberos.ihtfp.org
#   admin_server = kerberos.ihtfp.org
#}
#TS.ORG = {
#   kdc = kerberos.1ts.org
#   admin_server = kerberos.1ts.org
#}
#ANDREW.CMU.EDU = {
#   admin_server = kerberos.andrew.cmu.edu
#   default_domain = andrew.cmu.edu
#}
    #CS.CMU.EDU = {
    #        kdc = kerberos-1.srv.cs.cmu.edu
    #        kdc = kerberos-2.srv.cs.cmu.edu
    #        kdc = kerberos-3.srv.cs.cmu.edu
    #        admin_server = kerberos.cs.cmu.edu
    #}
#DEMENTIA.ORG = {
#   kdc = kerberos.dementix.org
#   kdc = kerberos2.dementix.org
#   admin_server = kerberos.dementix.org
#}
#stanford.edu = {
#   kdc = krb5auth1.stanford.edu
#   kdc = krb5auth2.stanford.edu
#   kdc = krb5auth3.stanford.edu
#   master_kdc = krb5auth1.stanford.edu
#   admin_server = krb5-admin.stanford.edu
#   default_domain = stanford.edu
#}
    #UTORONTO.CA = {
    #        kdc = kerberos1.utoronto.ca
    #        kdc = kerberos2.utoronto.ca
    #        kdc = kerberos3.utoronto.ca
    #        admin_server = kerberos1.utoronto.ca
    #        default_domain = utoronto.ca
#}

[domain_realm]
#.mit.edu = ATHENA.MIT.EDU
#mit.edu = ATHENA.MIT.EDU
#.media.mit.edu = MEDIA-LAB.MIT.EDU
#media.mit.edu = MEDIA-LAB.MIT.EDU
#.csail.mit.edu = CSAIL.MIT.EDU
#csail.mit.edu = CSAIL.MIT.EDU
#.whoi.edu = ATHENA.MIT.EDU
#whoi.edu = ATHENA.MIT.EDU
#.stanford.edu = stanford.edu
#.slac.stanford.edu = SLAC.STANFORD.EDU
#.toronto.edu = UTORONTO.CA
#.utoronto.ca = UTORONTO.CA

系统控制

● krb5-kdc.service - Kerberos 5 Key Distribution Center
 Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; preset: ena>
 Active: active (running) since Sun 2024-03-10 09:45:33 UTC; 6min ago
  Main PID: 824 (krb5kdc)
  Tasks: 1 (limit: 5673)
 Memory: 1.3M
    CPU: 35ms
 CGroup: /system.slice/krb5-kdc.service
         └─824 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid

 Mar 10 09:45:33 ubuntuserver krb5kdc[754]: Setting pktinfo on socket ::.88
 Mar 10 09:45:33 ubuntuserver krb5kdc[754]: Setting up TCP socket for address 0.>
 Mar 10 09:45:33 ubuntuserver krb5kdc[754]: Setting up TCP socket for address ::>
 Mar 10 09:45:33 ubuntuserver krb5kdc[754]: setsockopt(14,IPV6_V6ONLY,1) worked
 Mar 10 09:45:33 ubuntuserver krb5kdc[754]: set up 6 sockets
 Mar 10 09:45:33 ubuntuserver systemd[1]: krb5-kdc.service: Can't open PID file >
Mar 10 09:45:33 ubuntuserver krb5kdc[824]: commencing operation
Mar 10 09:45:33 ubuntuserver systemd[1]: Started krb5-kdc.service - Kerberos 5 >
Mar 10 09:47:07 ubuntuserver krb5kdc[824]: AS_REQ (8 etypes {aes256-cts-hmac-sh>
Mar 10 09:47:19 ubuntuserver krb5kdc[824]: AS_REQ (8 etypes {aes256-cts-hmac-sh>

系统日志

  2024-03-10T10:14:24.376053+00:00 ubuntuserver systemd[1]: Started krb5-kdc.service - Kerberos 5 Key Distribution Center.
  2024-03-10T10:14:59.038335+00:00 ubuntuserver krb5kdc[5630]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.1.16: NEEDED_PREAUTH: root/admin@ubunturealm for kadmin/admin@ubunturealm, true
  2024-03-10T10:15:00.889791+00:00 ubuntuserver krb5kdc[5630]: preauth (encrypted_timestamp) verify failure: true
  2024-03-10T10:15:00.889855+00:00 ubuntuserver krb5kdc[5630]:  AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.1.16: PREAUTH_FAILED: root/admin@ubunturealm for kadmin/admin@ubunturealm, true

认证日志

相关内容