NFS4 + Kerberos 自 5.10 核心起不起作用
自從我更新到 Debian Bullseye,nfs 客戶端停止工作:
# mount -vvt nfs4 -o sec=krb5 nfs11:/srv /mnt mount.nfs4: timeout set for Wed Sep 15 20:25:49 2021 mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=x.y.11.63,clientaddr=x.y.11.42' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting nfs11:/srv
當我在同一系統上安裝 5.9 核心(linux-image-5.9.0-0.bpo.5-cloud-amd64)時 - 它可以工作。
我也試過:
- Debian 測試核心(核心 5.14) - 不起作用
- Ubuntu 21.10 Impish(核心 5.13)- 不工作
- Ubuntu 20.04 Focal(核心 5.4)- 有效
如果所有系統都具有相同的 NFS/Kerberos 設置,我的結論是:核心中發生了一些變化,不允許掛載 NFS/Kerberos 共享。
- 我的 KDC - Samba4 AD
- 我的 Kerberos 和 NFS 設置是非常標準的,就像在任何方法中一樣
- HOSTNAME$@REALM nfs/fqdn@REALM host/… 原則在客戶端和伺服器鍵選項卡中有
我放入
RPCGSSDOPTS="-vvv"
/etc/default/nfs-common 進行調試。在以下日誌中:
- nfs11 - 我的測試 nfs 伺服器(Debian 11,核心 5.10)
- tst2 - 我的測試 nfs 客戶端(Debian 11)
這是客戶端嘗試掛載 nfs 共享時的系統日誌:
使用 5.9 核心啟動的 nfs 客戶端(安裝成功)
rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2' (nfs/clnt0) rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null) rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain' rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain' rpc.gssd[446]: Success getting keytab entry for 'tst2$@MY.DOMAIN' rpc.gssd[446]: gssd_get_single_krb5_cred: principal 'tst2$@MY.DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN' rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378 rpc.gssd[446]: creating tcp client for server nfs11.my.domain rpc.gssd[446]: DEBUG: port already set to 2049 rpc.gssd[446]: creating context with server nfs@nfs11.my.domain rpc.gssd[446]: doing downcall: lifetime_rec=36000 acceptor=nfs@nfs11.my.domain rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2' (nfs/clnt0) rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null) rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain' rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain' rpc.gssd[446]: Success getting keytab entry for 'tst2$@MY.DOMAIN' rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378 rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378 rpc.gssd[446]: creating tcp client for server nfs11.my.domain rpc.gssd[446]: DEBUG: port already set to 2049 rpc.gssd[446]: creating context with server nfs@nfs11.my.domain rpc.gssd[446]: doing downcall: lifetime_rec=36000 acceptor=nfs@nfs11.my.domain nfsidmap[524]: key: 0x3b88d120 type: uid value: root@my.domain timeout 600 nfsidmap[524]: nfs4_name_to_uid: calling nsswitch->name_to_uid nfsidmap[524]: nss_getpwnam: name 'root@my.domain' domain 'my.domain': resulting localname 'root' nfsidmap[524]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0 nfsidmap[524]: nfs4_name_to_uid: final return value is 0 nfsidmap[525]: key: 0x317cb571 type: gid value: root@my.domain timeout 600 nfsidmap[525]: nfs4_name_to_gid: calling nsswitch->name_to_gid nfsidmap[525]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 nfsidmap[525]: nfs4_name_to_gid: final return value is 0
使用 5.10 核心啟動的 nfs 客戶端(不掛載)
rpc.gssd[450]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,3,1,2' (nfs/clnt3) rpc.gssd[450]: krb5_use_machine_creds: uid 0 tgtname (null) rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain' rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain' rpc.gssd[450]: Success getting keytab entry for 'tst2$@MY.DOMAIN' rpc.gssd[450]: gssd_get_single_krb5_cred: principal 'tst2$@MY.DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN' rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676 rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984 rpc.gssd[450]: creating tcp client for server nfs11.my.domain rpc.gssd[450]: DEBUG: port already set to 2049 rpc.gssd[450]: creating context with server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain rpc.gssd[450]: creating tcp client for server nfs11.my.domain rpc.gssd[450]: DEBUG: port already set to 2049 rpc.gssd[450]: creating context with server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain rpc.gssd[450]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nfs11.my.domain rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain' rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain' rpc.gssd[450]: Success getting keytab entry for 'tst2$@MY.DOMAIN' rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676 rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676 rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984 rpc.gssd[450]: creating tcp client for server nfs11.my.domain rpc.gssd[450]: DEBUG: port already set to 2049 rpc.gssd[450]: creating context with server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain rpc.gssd[450]: creating tcp client for server nfs11.my.domain rpc.gssd[450]: DEBUG: port already set to 2049 rpc.gssd[450]: creating context with server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain rpc.gssd[450]: ERROR: Failed to create machine krb5 context with any credentials cache for server nfs11.my.domain rpc.gssd[450]: doing error downcall
我用Google搜尋了很多,沒有找到任何相關的東西……目前作為一種解決方法,我在所有 nfs 客戶端系統中執行以前版本的反向移植核心。但我認為它很危險,而且有些東西告訴我它隨時可能破裂。
有沒有人遇到過這樣的問題?也許我應該調整一些東西以匹配核心的變化?也許我應該填補核心錯誤?
更新。添加了 KDC 日誌。
使用 5.9 核心從客戶端掛載時 KDC - 成功
[2021/09/21 21:55:12.061264, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2021/09/21 21:55:44.743415, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:38701 for krbtgt/MY.DOMAIN@MY.DOMAIN [2021/09/21 21:55:44.747105, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 150, 149 [2021/09/21 21:55:44.747154, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN [2021/09/21 21:55:44.747178, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN [2021/09/21 21:55:44.747209, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: No preauth found, returning PREAUTH-REQUIRED -- tst2$@MY.DOMAIN [2021/09/21 21:55:44.751030, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:50506 for krbtgt/MY.DOMAIN@MY.DOMAIN [2021/09/21 21:55:44.753959, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 150, 149 [2021/09/21 21:55:44.754060, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN [2021/09/21 21:55:44.754114, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN [2021/09/21 21:55:44.754187, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- tst2$@MY.DOMAIN using arcfour-hmac-md5 [2021/09/21 21:55:44.754275, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[tst2$@MY.DOMAIN] at [Tue, 21 Sep 2021 21:55:44.754261 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:50506] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6619]. local host [NULL] {"timestamp": "2021-09-21T21:55:44.754359+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "dd24014b273cc7a8", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:50506", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "tst2$@MY.DOMAIN", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6619", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3366}} [2021/09/21 21:55:44.761108, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ authtime: 2021-09-21T21:55:44 starttime: unset endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44 [2021/09/21 21:55:44.761282, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5 [2021/09/21 21:55:44.761368, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Requested flags: renewable-ok, forwardable [2021/09/21 21:55:44.767382, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:39570 for nfs/nfs11.my.domain@MY.DOMAIN [canonicalize, renewable, forwardable] [2021/09/21 21:55:44.773999, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2021-09-21T21:55:44 starttime: 2021-09-21T21:55:44 endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44 [2021/09/21 21:55:44.774695, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
使用 5.10 核心從客戶端掛載時 KDC - 掛載失敗
[2021/09/22 00:31:39.893723, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:46094 for krbtgt/MY.DOMAIN@MY.DOMAIN [2021/09/22 00:31:39.899112, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: 150, 149 [2021/09/22 00:31:39.899162, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN [2021/09/22 00:31:39.899186, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN [2021/09/22 00:31:39.899221, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: No preauth found, returning PREAUTH-REQUIRED -- tst2$@MY.DOMAIN [2021/09/22 00:31:39.901942, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:39303 for krbtgt/MY.DOMAIN@MY.DOMAIN [2021/09/22 00:31:39.905030, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client sent patypes: encrypted-timestamp, 150, 149 [2021/09/22 00:31:39.905080, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN [2021/09/22 00:31:39.905105, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN [2021/09/22 00:31:39.905171, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: ENC-TS Pre-authentication succeeded -- tst2$@MY.DOMAIN using arcfour-hmac-md5 [2021/09/22 00:31:39.905270, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[tst2$@MY.DOMAIN] at [Wed, 22 Sep 2021 00:31:39.905248 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:39303] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6621]. local host [NULL] {"timestamp": "2021-09-22T00:31:39.905331+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "8511280d720bd92c", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:39303", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "tst2$@MY.DOMAIN", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6621", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3429}} [2021/09/22 00:31:39.912509, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: AS-REQ authtime: 2021-09-22T00:31:39 starttime: unset endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39 [2021/09/22 00:31:39.912597, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5 [2021/09/22 00:31:39.912663, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Requested flags: renewable-ok, forwardable [2021/09/22 00:31:39.918313, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:59850 for nfs/nfs11.my.domain@MY.DOMAIN [canonicalize, renewable, forwardable] [2021/09/22 00:31:39.924869, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2021-09-22T00:31:39 starttime: 2021-09-22T00:31:39 endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39 [2021/09/22 00:31:39.925340, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2021/09/22 00:31:39.928319, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:59852 for nfs/nfs11.my.domain@MY.DOMAIN [renewable, forwardable] [2021/09/22 00:31:39.930936, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server (nfs/nfs11.my.domain@MY.DOMAIN) has no support for etypes [2021/09/22 00:31:39.930998, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:x.y.11.42:59852 [2021/09/22 00:31:39.931336, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection) stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
我看到
Server (nfs/nfs11.my.domain@MY.DOMAIN) has no support for etypes
錯誤。Google發現一個與舊 enctypes 相關的舊問題,沒有任何用處。所有軟體包都是最新的。感謝評論,我取得了一些進展。我安裝了新的 Samba DC,將客戶端(5.10 核心)和伺服器都加入了新的 KDC - 它工作正常!新的 KDC 允許具有任何核心的 NFS 客戶端掛載共享。似乎問題出在我的生產 Samba DC 中。我查看了 ldap 數據庫,看起來它們很相似,除了在新的 dc 上添加了很少的內容,比如 3 個新對象和一些欄位。目前我不知道我應該在生產 DC 中進行哪些調整以使其表現得像新的一樣。重新安裝將是最後的手段,因為它需要很多時間。
生產 DC 是很久以前創建的,並且使用標準 samba 複製或備份進行了多次遷移。生產和新鮮的 DC 資訊:
- oEInformation:由 SAMBA 4.1.6-Ubuntu 提供
- oEInformation:由 SAMBA 4.13.5-Debian 提供
目前,DC 在相同的 Debian 作業系統下執行。
更新 2. 解決了!
請參閱下面的解決方案。
在我的情況下,解決方案如下:我嘗試使生產 DC 上的 LDAP DB 看起來像新 DC(正在工作)上的 LDAP DB。所以我改變了一些領域。重新啟動一切。它奏效了!
我到底改變了什麼。
dn: DC=my,DC=domain
我使用添加/更改了對像中的以下欄位ldbedit -H /var/lib/samba/private/sam.ldb
:msDS-Behavior-Version: 4 msDS-NcType: 0 serverState: 1
生產 DC 過去已重命名,但我在以下對像中發現了剩菜(舊名稱):
dn: CN=<old-name>,CN=*,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain
我通過用 重命名它們來解決這個問題
ldbrename
,例如:ldbrename -H /var/lib/samba/private/sam.ldb 'CN=<old-name>,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain' 'CN=<actual-name>,CN=bootparams,CN=ypServ30,CN=RpcServices,CN=System,DC=my,DC=domain'
也許並非所有這些更改都是必要的,但它現在有效。謝謝您的意見!
Linux 在 5.10 中從 Kerberos 中刪除了對 RC4-HMAC-MD5 的支持。您的客戶端使用該加密類型,可以在伺服器的日誌輸出中看到:
[2021/09/21 21:55:44.761282, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
如果 AES 類型可用,Samba 應該選擇 aes256-cts-hmac-sha1-96。
它不在您的任何日誌中,但我猜失敗的 TGS-REQ 要求提供 des3-cbc-sha1、aes128-cts-hmac-sha1-96、aes256-cts-hmac-sha1-96。這可以通過使用參數啟動 rpc.gssd 來驗證
-vvvrr
。在這種情況下,客戶的 AD 帳戶沒有啟用所需的加密類型。如果客戶端在 Samba 不支持 AES 時加入域,則會發生這種情況。您可以通過重置客戶端的 AD 帳戶密碼或重新加入域來啟用加密類型。您還需要確保將加密類型添加到客戶端的密鑰表中。這可以驗證klist -ke
在客戶端上執行。如果您使用特定的服務主體,請確保將加密類型顯式添加到客戶端的帳戶(在 ADC 執行上
net ads enctypes set <ACCOUNTNAME> 24
)。否則只會導出 ARCFOUR 類型。