Active-Directory
無法獲取電腦帳戶的憑據 - 在 kerberos 數據庫中找不到客戶端
我已成功將 ubuntu 機器(Ubuntu 20.04 LTS)加入到 Active Directory。因此,我可以使用 AD-Accounts 登錄,為使用者獲取並更新票證授予票證,並通過 Kerberos 身份驗證訪問網路共享。
但是,我很難獲得電腦帳戶的初始憑據:
admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab [sudo] password for admin: [232252] 1645435537.855061: Getting initial credentials for host/comp01.company.lan@COMPANY.LAN [232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts [232252] 1645435537.855064: Sending unauthenticated request [232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN [232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88 [232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88 [232252] 1645435537.855068: Response was from master KDC [232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database kinit: Client 'host/comp01.company.lan@COMPANY.LAN' not found in Kerberos database while getting initial credentials
我在這個問題上花了幾個小時沒有進展。可能我錯過了一些基本步驟。請求的主體包含在 ubuntu 機器上的本地密鑰表中:
root@comp01:~$ klist -kte Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 4 02/17/2022 07:34:59 COMP01$@COMPANY.LAN (arcfour-hmac) 4 02/17/2022 07:34:59 COMP01$@COMPANY.LAN (aes128-cts-hmac-sha1-96) 4 02/17/2022 07:34:59 COMP01$@COMPANY.LAN (aes256-cts-hmac-sha1-96) 4 02/17/2022 07:34:59 host/COMP01@COMPANY.LAN (arcfour-hmac) 4 02/17/2022 07:34:59 host/COMP01@COMPANY.LAN (aes128-cts-hmac-sha1-96) 4 02/17/2022 07:34:59 host/COMP01@COMPANY.LAN (aes256-cts-hmac-sha1-96) 4 02/17/2022 07:34:59 host/comp01.company.lan@COMPANY.LAN (arcfour-hmac) 4 02/17/2022 07:34:59 host/comp01.company.lan@COMPANY.LAN (aes128-cts-hmac-sha1-96) 4 02/17/2022 07:35:00 host/comp01.company.lan@COMPANY.LAN (aes256-cts-hmac-sha1-96) 4 02/17/2022 07:35:00 RestrictedKrbHost/COMP01@COMPANY.LAN (arcfour-hmac) 4 02/17/2022 07:35:00 RestrictedKrbHost/COMP01@COMPANY.LAN (aes128-cts-hmac-sha1-96) 4 02/17/2022 07:35:00 RestrictedKrbHost/COMP01@COMPANY.LAN (aes256-cts-hmac-sha1-96) 4 02/17/2022 07:35:00 RestrictedKrbHost/comp01.company.lan@COMPANY.LAN (arcfour-hmac) 4 02/17/2022 07:35:00 RestrictedKrbHost/comp01.company.lan@COMPANY.LAN (aes128-cts-hmac-sha1-96) 4 02/17/2022 07:35:00 RestrictedKrbHost/comp01.company.lan@COMPANY.LAN (aes256-cts-hmac-sha1-96)
並且主體也在 AD-Domain 控制器上註冊:
> setspn -L comp01 Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan: RestrictedKrbHost/comp01.company.lan host/comp01.company.lan RestrictedKrbHost/COMP01 host/COMP01
ubuntu 機器已加入 AD 域,使用
> realm join company.lan
而Kerberos配置文件如下:
[libdefaults] default_realm = COMPANY.LAN ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] COMPANY.LAN = { kdc = DC.company.lan admin_server = DC.company.lan default_domain = company.lan } [domain_realm] .company.lan = COMPANY.LAN company.lan = COMPANY.LAN
正向和反向 DNS 看起來也不錯:
> nslookup comp01 Server: DC.company.lan Address: 172.27.17.41 Name: comp01.company.lan Address: 172.27.17.131 > nslookup 172.27.17.131 Server: DC.company.lan Address: 172.27.17.41 Name: comp01.company.lan Address: 172.27.17.131
我真的很感謝任何指引我朝著正確方向前進的提示。
對於 Active Directory 風格的 Kerberos,“使用者”(客戶端)和“服務”(目標)主體名稱之間存在區別。具體來說,只有帳戶的 sAMAccountName 可以充當客戶端主體,其 SPN 不能。
電腦對象的帳戶名始終是大寫的主機名,並以 . 為後綴
$
,例如,對於名為“COMP01”的電腦,帳戶名將是COMP01$
。同時
host/comp01
並且host/comp01.company.lan
僅作為服務主體存在——AD KDC 將為請求“host/comp01”作為目標伺服器的客戶端發出票證,但不允許它們在初始身份驗證期間充當客戶端。它們存在於您的密鑰表中,僅用於“接受者”方面。