Active-Directory
Microsoft Active Directory kerberos 返回未知主體
我正在嘗試驗證主機以進行 kbr5p nfs 掛載,其中 Microsoft 活動目錄充當 Kerberos 伺服器。
sudo kinit -k -t /etc/krb5.keytab host/ROBODAROBODA@EXAMPLE.COM kinit: Client 'host/ROBODAROBODA@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
但在活動目錄中,以下命令有效
PS C:\Program Files\vmware\VMware OVF Tool> setspn -l ROBODAROBODA Registered ServicePrincipalNames for CN=ROBODAROBODA,CN=Computers,DC=example,DC=com: host/ROBODAROBODA@EXAMPLE.COM HOST/robodaroboda.example.com HOST/ROBODAROBODA
在數據包跟踪中,觀察到未知的主要錯誤。要求:
Kerberos AS-REQ Record Mark: 202 bytes 0... .... .... .... .... .... .... .... = Reserved: Not set .000 0000 0000 0000 0000 0000 1100 1010 = Record Length: 202 Pvno: 5 MSG Type: AS-REQ (10) padata: Unknown:149 Type: Unknown (149) Value: <MISSING> KDC_REQ_BODY Padding: 0 KDCOptions: 00000010 (Renewable OK) .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable .... .... ...0 .... .... .... .... .... = Opt HW Auth: False .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation) .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt using the skey .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket Client Name (Principal): host/ROBODAROBODA Name-type: Principal (1) Name: host Name: ROBODAROBODA Server Name (Service and Instance): krbtgt/EXAMPLE.COM Name-type: Service and Instance (2) Name: krbtgt Name: EXAMPLE.COM till: 2020-04-05 18:37:06 (UTC) Nonce: 407713677 Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5-nt 19 des3-cbc-sha1 rc4-hmac 25 26 Encryption type: aes256-cts-hmac-sha1-96 (18) Encryption type: aes128-cts-hmac-sha1-96 (17) Encryption type: des-cbc-md5-nt (20) Encryption type: Unknown (19) Encryption type: des3-cbc-sha1 (16) Encryption type: rc4-hmac (23) Encryption type: Unknown (25) Encryption type: Unknown (26)
回复:
Kerberos KRB-ERROR Record Mark: 112 bytes 0... .... .... .... .... .... .... .... = Reserved: Not set .000 0000 0000 0000 0000 0000 0111 0000 = Record Length: 112 Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2020-04-04 18:37:06 (UTC) susec: 931508 error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6) Realm: EXAMPLE.COM Server Name (Service and Instance): krbtgt/EXAMPLE.COM Name-type: Service and Instance (2) Name: krbtgt Name: EXAMPLE.COM
誰能幫我理解為什麼我看到未知的主要錯誤?
將 host/ROBODAROBODA@EXAMPLE.COM 添加到機器帳戶的 UserPrincipalName 屬性後的問題。kinit 正在工作。