到目前为止,我一直在使用kadmin.local进行kerberos的大部分pipe理工作,但是,我正试图迁移到使用远程kadmin因为这将是更好的练习和所有。
我所看到的是这样的:
esr@cpt2:~$ kadmin -p 'esr/admin' Authenticating as principal esr/admin with password. Password for esr/[email protected]: esr@cpt2:~$
即login发生完美,但连接立即closures。
在服务器端:
Jan 08 12:51:02 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) XXXX: NEEDED_PREAUTH: esr/[email protected] for kadmin/[email protected], Additional pre-authentication required Jan 08 12:51:05 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) XXXX: ISSUE: authtime 1389207065, etypes {rep=18 tkt=18 ses=18}, esr/[email protected] for kadmin/[email protected] ==> /var/log/krb5kdc/kadmin.log <== Jan 08 12:51:05 00-kdc kadmind[9720](Error): TCP client XXXX41541 wants 2147484348 bytes, cap is 1048572 Jan 08 12:51:05 00-kdc kadmind[9720](info): closing down fd 333
该错误wants 2147484348 bytes, cap is 1048572立即跳出来对我,但它是令人难以置信的难以追查。 我发现http://krbdev.mit.edu/rt/Ticket/Display.html?id=3923但似乎已经解决了很久以前。
另外,我正在使用
Package: krb5-admin-server Version: 1.10+dfsg~beta1-2ubuntu0.3 Package: krb5-kdc Version: 1.10+dfsg~beta1-2ubuntu0.3
客户端连接跟踪:
esr$ KRB5_TRACE=/dev/stdout kadmin Authenticating as principal esr/[email protected] with password. [2913] 1389633823.366797: Initializing MEMORY:kadm5_0 with default princ esr/[email protected] [2913] 1389633823.366900: Getting initial credentials for esr/[email protected] [2913] 1389633823.367196: Setting initial creds service to kadmin/[email protected] [2913] 1389633823.367314: Sending request (199 bytes) to DOMAIN.EDU [2913] 1389633823.367417: Resolving hostname ldap-master.domain.edu [2913] 1389633823.367562: Sending initial UDP request to dgram XXXX:88 [2913] 1389633823.371591: Received answer from dgram XXXX:88 [2913] 1389633823.410550: Response was not from master KDC [2913] 1389633823.410581: Received error from KDC: -1765328359/Additional pre-authentication required [2913] 1389633823.410619: Processing preauth types: 136, 19, 2, 133 [2913] 1389633823.410636: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params "" [2913] 1389633823.410640: Received cookie: MIT Password for esr/[email protected]: [2913] 1389633826.379096: AS key obtained for encrypted timestamp: aes256-cts/4485 [2913] 1389633826.409058: Encrypted timestamp (for 1389633826.408987): plain <snip> [2913] 1389633826.409100: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [2913] 1389633826.409105: Produced preauth for next request: 133, 2 [2913] 1389633826.409123: Sending request (294 bytes) to DOMAIN.EDU [2913] 1389633826.409142: Resolving hostname ldap-master.domain.edu [2913] 1389633826.409203: Sending initial UDP request to dgram XXXX:88 [2913] 1389633826.506049: Received answer from dgram XXXX:88 [2913] 1389633826.550573: Response was not from master KDC [2913] 1389633826.550610: Processing preauth types: 19 [2913] 1389633826.550618: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params "" [2913] 1389633826.550623: Produced preauth for next request: (empty) [2913] 1389633826.550632: AS key determined by preauth: aes256-cts/4485 [2913] 1389633826.550688: Decrypted AS reply; session key is: aes256-cts/13A4 [2913] 1389633826.550706: FAST negotiation: available [2913] 1389633826.550744: Initializing MEMORY:kadm5_0 with default princ esr/[email protected] [2913] 1389633826.550753: Removing esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 [2913] 1389633826.550760: Storing esr/[email protected] -> kadmin/[email protected] in MEMORY:kadm5_0 [2913] 1389633826.550770: Storing config in MEMORY:kadm5_0 for kadmin/[email protected]: fast_avail: yes [2913] 1389633826.550780: Removing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin\/ldap-master.domain.edu\@DOMAIN.EDU@X-CACHECONF: from MEMORY:kadm5_0 [2913] 1389633826.550787: Storing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin\/ldap-master.domain.edu\@DOMAIN.EDU@X-CACHECONF: in MEMORY:kadm5_0 [2913] 1389633826.575550: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0 [2913] 1389633826.575589: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success [2913] 1389633826.575641: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 982754712, subkey aes256-cts/33D5, session key aes256-cts/13A4 [2913] 1389633826.578730: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0 [2913] 1389633826.578775: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success [2913] 1389633826.578816: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 799315236, subkey aes256-cts/E55C, session key aes256-cts/13A4
首先login不成功。 无论连接是否正常,您都将被提示input密码。 其次,kerberos错误信息是最好的提示,最坏的情况是完全误导。
对我来说,它看起来像kadmin客户端请求错误的服务主体。 看到
http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html
我所使用的大多数kerberos kadmin网站都使用kadmin / admin作为kadmind服务主体。 您需要检查kadmind安装程序以查看正在使用的服务主体。
在我的情况下,重新启动kadmin服务的伎俩。
事先我的kadmin做了完全一样的事情。 所有其他的密钥交换服务工作正常。 但是我不能使用kadmin(Errornumber $?= 141),但从来没有使用kadmin.local的问题