Active-Directory

無法獲取電腦帳戶的憑據 - 在 kerberos 數據庫中找不到客戶端

  • March 15, 2022

我已成功將 ubuntu 機器(Ubuntu 20.04 LTS)加入到 Active Directory。因此,我可以使用 AD-Accounts 登錄,為使用者獲取並更新票證授予票證,並通過 Kerberos 身份驗證訪問網路共享。

但是,我很難獲得電腦帳戶的初始憑據:

admin@comp01:~$ sudo KRB5_TRACE=/dev/stdout kinit -kt /etc/krb5.keytab
[sudo] password for admin:
[232252] 1645435537.855061: Getting initial credentials for host/comp01.company.lan@COMPANY.LAN
[232252] 1645435537.855062: Looked up etypes in keytab: rc4-hmac, aes128-cts, aes256-cts
[232252] 1645435537.855064: Sending unauthenticated request
[232252] 1645435537.855065: Sending request (187 bytes) to COMPANY.LAN
[232252] 1645435537.855066: Sending initial UDP request to dgram 172.27.17.6:88
[232252] 1645435537.855067: Received answer (84 bytes) from dgram 172.27.17.6:88
[232252] 1645435537.855068: Response was from master KDC
[232252] 1645435537.855069: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'host/comp01.company.lan@COMPANY.LAN' not found in Kerberos database while getting initial credentials

我在這個問題上花了幾個小時沒有進展。可能我錯過了一些基本步驟。請求的主體包含在 ubuntu 機器上的本地密鑰表中:

root@comp01:~$ klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
  4 02/17/2022 07:34:59 COMP01$@COMPANY.LAN (arcfour-hmac)
  4 02/17/2022 07:34:59 COMP01$@COMPANY.LAN (aes128-cts-hmac-sha1-96)
  4 02/17/2022 07:34:59 COMP01$@COMPANY.LAN (aes256-cts-hmac-sha1-96)
  4 02/17/2022 07:34:59 host/COMP01@COMPANY.LAN (arcfour-hmac)
  4 02/17/2022 07:34:59 host/COMP01@COMPANY.LAN (aes128-cts-hmac-sha1-96)
  4 02/17/2022 07:34:59 host/COMP01@COMPANY.LAN (aes256-cts-hmac-sha1-96)
  4 02/17/2022 07:34:59 host/comp01.company.lan@COMPANY.LAN (arcfour-hmac)
  4 02/17/2022 07:34:59 host/comp01.company.lan@COMPANY.LAN (aes128-cts-hmac-sha1-96)
  4 02/17/2022 07:35:00 host/comp01.company.lan@COMPANY.LAN (aes256-cts-hmac-sha1-96)
  4 02/17/2022 07:35:00 RestrictedKrbHost/COMP01@COMPANY.LAN (arcfour-hmac)
  4 02/17/2022 07:35:00 RestrictedKrbHost/COMP01@COMPANY.LAN (aes128-cts-hmac-sha1-96)
  4 02/17/2022 07:35:00 RestrictedKrbHost/COMP01@COMPANY.LAN (aes256-cts-hmac-sha1-96)
  4 02/17/2022 07:35:00 RestrictedKrbHost/comp01.company.lan@COMPANY.LAN (arcfour-hmac)
  4 02/17/2022 07:35:00 RestrictedKrbHost/comp01.company.lan@COMPANY.LAN (aes128-cts-hmac-sha1-96)
  4 02/17/2022 07:35:00 RestrictedKrbHost/comp01.company.lan@COMPANY.LAN (aes256-cts-hmac-sha1-96)

並且主體也在 AD-Domain 控制器上註冊:

> setspn -L comp01
Registrierte Dienstprinzipalnamen (SPN) für CN=COMP01,CN=Computers,DC=company,DC=lan:
           RestrictedKrbHost/comp01.company.lan
           host/comp01.company.lan
           RestrictedKrbHost/COMP01
           host/COMP01

ubuntu 機器已加入 AD 域,使用

> realm join company.lan

而Kerberos配置文件如下:

[libdefaults]
       default_realm = COMPANY.LAN
       ccache_type = 4
       forwardable = true
       proxiable = true
       fcc-mit-ticketflags = true
[realms]
       COMPANY.LAN = {
               kdc = DC.company.lan
               admin_server = DC.company.lan
               default_domain = company.lan
       }
[domain_realm]
       .company.lan = COMPANY.LAN
       company.lan = COMPANY.LAN

正向和反向 DNS 看起來也不錯:

> nslookup comp01
Server:  DC.company.lan
Address:  172.27.17.41

Name:    comp01.company.lan
Address:  172.27.17.131

> nslookup 172.27.17.131
Server:  DC.company.lan
Address:  172.27.17.41

Name:    comp01.company.lan
Address:  172.27.17.131

我真的很感謝任何指引我朝著正確方向前進的提示。

對於 Active Directory 風格的 Kerberos,“使用者”(客戶端)和“服務”(目標)主體名稱之間存在區別。具體來說,只有帳戶的 sAMAccountName 可以充當客戶端主體,其 SPN 不能。

電腦對象的帳戶名始終是大寫的主機名,並以 . 為後綴$,例如,對於名為“COMP01”的電腦,帳戶名將是COMP01$

同時host/comp01並且host/comp01.company.lan僅作為服務主體存在——AD KDC 將為請求“host/comp01”作為目標伺服器的客戶端發出票證,但不允許它們在初始身份驗證期間充當客戶端。它們存在於您的密鑰表中,僅用於“接受者”方面。

引用自:https://serverfault.com/questions/1094334