kinit:获取初始凭证时无法联系领域“ubunturealm”的任何 KDC

tag-icon tag-icon ubuntu kerberos mitkerberos
kinit:获取初始凭证时无法联系领域“ubunturealm”的任何 KDC

当我运行 kerberos 并且所有连接都已修复时,我在 ubuntu 客户端上执行 kinit 操作时遇到问题,但我仍然无法在客户端计算机上获取票证。我希望有人指导我如何解决这个问题。

root@ubuntunorbert:/etc# uname -a
Linux ubuntunorbert 6.5.0-28-generic #29-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 28 23:46:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux


clientnorbert@clientnorbert:~$ kinit -V
Using default cache: /tmp/krb5cc_1000
Using principal: clientnorbert@ubunturealm
kinit: Cannot contact any KDC for realm 'ubunturealm' while getting initial credentials


root@ubuntunorbert:/var/log# host ubuntunorbert
ubuntunorbert has address 10.0.2.5
ubuntunorbert has address 10.8.0.1
ubuntunorbert has address 172.17.0.1
ubuntunorbert has IPv6 address fe80::a00:27ff:feb5:df44
ubuntunorbert has IPv6 address fe80::2534:f540:cde8:801

clientnorbert@clientnorbert:~$ host clientnorbert.com
clientnorbert.com has address 10.0.2.6
clientnorbert.com has IPv6 address fe80::a00:27ff:fe23:f7a1

root@ubuntunorbert:/var/log# cat krb5kdc.log
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](Error): preauth spake failed to initialize: 
No SPAKE preauth groups configured
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](Error): preauth spake failed to initialize: 
No SPAKE preauth groups configured
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setting up network...
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setting up network...
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setsockopt(11,IPV6_V6ONLY,1) worked
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setsockopt(11,IPV6_V6ONLY,1) worked
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setsockopt(13,IPV6_V6ONLY,1) worked
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setsockopt(13,IPV6_V6ONLY,1) worked
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setsockopt(15,IPV6_V6ONLY,1) worked
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): setsockopt(15,IPV6_V6ONLY,1) worked
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): set up 6 sockets
Apr 27 08:24:12 ubuntunorbert krb5kdc[18947](info): set up 6 sockets
Apr 27 08:24:12 ubuntunorbert krb5kdc[18948](info): commencing operation
Apr 27 08:24:12 ubuntunorbert krb5kdc[18948](info): commencing operation

root@ubuntunorbert:/var/log# cat kadmin.log
Mar 05 13:17:25 ubuntuserver kadmin.local[5164](info): No dictionary file specified, 
continuing without one.
Mar 05 13:18:48 ubuntuserver kadmin.local[5172](info): No dictionary file specified, 
continuing without one.
Mar 08 09:33:37 ubuntuserver kadmin.local[4368](info): No dictionary file specified, 
continuing without one.
Mar 08 09:33:53 ubuntuserver kadmin.local[4370](info): No dictionary file specified, 
continuing without one.
Mar 10 09:42:10 ubuntuserver kadmin.local[7272](info): No dictionary file specified, 
continuing without one.
Mar 11 10:17:16 ubuntuserver kadmin.local[5871](info): No dictionary file specified, 
continuing without one.
Mar 11 10:17:16 ubuntuserver kadmin.local[5871](info): No dictionary file specified, 
continuing without one.
Mar 15 08:11:19 ubuntuserver.com kadmin.local[10020](info): No dictionary file specified, 
continuing without one.
Mar 15 08:11:19 ubuntuserver.com kadmin.local[10020](info): No dictionary file specified, 
continuing without one.
Mar 15 08:18:08 ubuntuserver.com kadmin.local[11015](info): No dictionary file specified, 
continuing without one.
Mar 15 08:18:08 ubuntuserver.com kadmin.local[11015](info): No dictionary file specified, 
continuing without one.
Mar 15 08:33:30 ubuntuserver.com kadmin.local[11393](info): No dictionary file specified, 
continuing without one.
Mar 15 08:33:30 ubuntuserver.com kadmin.local[11393](info): No dictionary file specified, 
continuing without one.
Mar 15 08:37:23 ubuntuserver.com kadmin.local[11431](info): No dictionary file specified, 
continuing without one.
Mar 15 08:37:23 ubuntuserver.com kadmin.local[11431](info): No dictionary file specified, 
continuing without one.
Apr 27 08:27:57 ubuntunorbert kadmin.local[19781](info): No dictionary file specified, continuing without one.
Apr 27 08:27:57 ubuntunorbert kadmin.local[19781](info): No dictionary file specified, continuing without one.
Apr 27 08:34:32 ubuntunorbert kadmin.local[4105](info): No dictionary file specified, continuing without one.
Apr 27 08:34:32 ubuntunorbert kadmin.local[4105](info): No dictionary file specified, continuing without one.
Apr 27 08:47:53 ubuntunorbert kadmin.local[4944](info): No dictionary file specified, continuing without one.
Apr 27 08:47:53 ubuntunorbert kadmin.local[4944](info): No dictionary file specified, continuing without one.
Apr 28 07:35:27 ubuntunorbert kadmin.local[13475](info): No dictionary file specified, continuing without one.
Apr 28 07:35:27 ubuntunorbert kadmin.local[13475](info): No dictionary file specified, continuing without one.

客户端计算机上的 krb5.conf

[libdefaults]
default_realm = ubunturealm

 # The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
    rdns = false


 # The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true

[realms]
ubunturealm = {
    kdc = 10.0.2.5
    admin_server = 10.0.2.5
    default_doomian = 10.0.2.5
  }



clientnorbert@clientnorbert:/etc/krb5.conf.d$ ping ubunturealm
PING ubunturealm (10.0.2.5) 56(84) bytes of data.
64 bytes from ubunturealm (10.0.2.5): icmp_seq=1 ttl=64 time=0.943 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=2 ttl=64 time=1.53 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=3 ttl=64 time=4.44 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=4 ttl=64 time=1.00 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=5 ttl=64 time=1.77 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=6 ttl=64 time=2.58 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=7 ttl=64 time=1.54 ms
64 bytes from ubunturealm (10.0.2.5): icmp_seq=8 ttl=64 time=1.66 ms
^X^C
--- ubunturealm ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7008ms
rtt min/avg/max/mdev = 0.943/1.931/4.435/1.057 ms

服务器机器上的 krb5.conf,它们大部分都被注释掉了,它们应该与客户端机器上的 kinit 有问题

[libdefaults]
default_realm = ubunturealm
#dns_lookup_realm = true
#dns_lookup_kdc = true
#dns_canonicalize_hostname = true
#dns_uri_lookup = true 
#rdns = true 
# The following krb5.conf variables are only for MIT Kerberos.
#kdc_timesync = 1
#ccache_type = 4
#forwardable = true
#proxiable = true
    #clockskew = 300s
#default_ccache_name = DEFCCNAME
#default_client_keytab_name = DEFCKTNAME
#default_keytab_name = DEFKTNAME
#default_tgs_enctypes = 
#default_tks_enctypes = 
#enforce_ok_as_delagate = true
#err_fmt = true
#extra_addresses = true
# SPRAWDZ MULTIHOMED HOSTNAMES i VIRTUAL HOSTING ENV zanim to ustawisz
#ignore_acceptor_hostname = true
#k5login_authoritative = true
#k5login_directory = true
#on mac os only kcm_mach_service 
#on mac os only kcm_socket
#kdc_default_options = 0x00000010
#kdc_timesync = 1
#noaddresses = true
#permitted_enctypes =
#plugin_base_dir = krb5/plugins
#preferred_preauth_types = 17, 16, 14, 14
#qualify_shortname
#realm_try_domains = 
#renew_lifetime = 0
#spake_preauth_groups = edwards25519
#ticket_lifetime = 1d
#ustalic ile potrzeba na udp_preference_limit = 
# trzeba ogarnac to z keytabem na kliencie i na serwerze 
# zwiazek z keytabem verify_ap_req_nofail = false
#allow_des3 = false
#allow_rc4 = false 
#allow_weak_crypto = false
#canonicalize = true
#client_aware_channel_bindings = true


# The following libdefaults parameters are only for Heimdal Kerberos.
#fcc-mit-ticketflags = true

[realms]
ubunturealm = {
    kdc = serverkerberos
    admin_server = adminserverkerberos
    default_domain = ubuntunorbert
#   auth_to_local =  RULE:[2:$2](^.*;root)s/^.*$/root/}
}


root@ubuntunorbert:/etc# nmap localhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 08:29 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Not shown: 984 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
88/tcp   open  kerberos-sec
110/tcp  open  pop3
143/tcp  open  imap
464/tcp  open  kpasswd5
631/tcp  open  ipp
749/tcp  open  kerberos-adm
3306/tcp open  mysql
5222/tcp open  xmpp-client
5269/tcp open  xmpp-server
7070/tcp open  realserver
7443/tcp open  oracleas-https
7777/tcp open  cbt
9091/tcp open  xmltec-xmlmail


root@ubuntunorbert:/etc/krb5kdc# cat kdc.conf
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    ubunturealm = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        #master_key_type = aes256-cts
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

我想用该问题来解决 ubuntu 客户端上使用 kinit 缺乏身份验证的问题。

相关内容