我有两个AD域,我试图使用NFS与Kerberos到他们两个。 部分过程需要分别为客户端和服务器的主机和nfs主体创build密钥表文件。 我在两个DC上使用相同的batch file来创buildAD中的计算机和用户条目以及keytab文件。 来自其中一个AD的密钥表文件工作得很好,但来自另一个AD的所有密钥表文件都失败:
rob@hostname: [NFS_Kerberos_Keytabs]$ kinit -V host/[email protected] -k -t hostname_host_REALM.DOM.COM.keytab Using default cache: /tmp/krb5cc_1000 Using principal: host/[email protected] Using keytab: hostname_host_REALM.DOM.COM.keytab kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials 设置这个时,我首先在数据库中创build了一个计算机条目:
# extended LDIF # # LDAPv3 # base <cn=computers,dc=realm,dc=dom,dc=com> with scope subtree # filter: (name=hostname) # requesting: ALL # # hostname, Computers, realm.dom.com dn: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: hostname distinguishedName: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com instanceType: 4 whenCreated: 20160128162300.0Z whenChanged: 20160128162300.0Z uSNCreated: 174308 uSNChanged: 174312 name: hostname objectGUID:: jd23ti+U/USCbuyzfWj5rQ== userAccountControl: 4128 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 localPolicyFlags: 0 pwdLastSet: 130984717800613071 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPLDEAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: HOSTNAME$ sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
然后我创build了一个用户条目:
# extended LDIF # # LDAPv3 # base <cn=users,dc=realm,dc=dom,dc=com> with scope subtree # filter: (&(ObjectClass=person)(name=hostname host)) # requesting: ALL # # hostname host, Users, realm.dom.com dn: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: hostname host sn: host givenName: hostname distinguishedName: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com instanceType: 4 whenCreated: 20160129074155.0Z whenChanged: 20160309164621.0Z displayName: hostname host uSNCreated: 174516 uSNChanged: 179340 name: hostname host objectGUID:: Uaw7Gk2n0keDHjIAiRaPqw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 131020165954163706 pwdLastSet: 131020155817310122 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPPjEAAA== accountExpires: 9223372036854775807 logonCount: 4 sAMAccountName: hostname-host sAMAccountType: 805306368 userPrincipalName: host/[email protected] servicePrincipalName: host/hostname.sub.dom.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com dSCorePropagationData: 16010101000000.0Z # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
然后我在DC上运行ktpass来创buildkeytab文件:
C:\Users\rob.marshall>ktpass -princ host/[email protected] -out hostname_host_REALM.DOM.COM.keytab -mapuser [email protected] -mapOp set -crypto all -ptype KRB5_NT_PRINCIPAL +rndPass Targeting domain controller: WIN-F2DD88GD7U9.realm.dom.com Using legacy password setting method Successfully mapped host/hostname.sub.dom.com to hostname-host. Key created. Key created. Key created. Key created. Key created. Output keytab to hostname_test04.keytab: Keytab version: 0x502 keysize 70 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa219dcdc0d232a7f) keysize 70 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa219dcdc0d232a7f) keysize 78 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x2c3d1d1cbf52afe3a7190bdaa0107fed) keysize 94 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x4f4b4f5d3f401c7ef885c94989e5561cc74fa607b07c6135c78450625bfb007e) keysize 78 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x3704104525c61565296a343d6092209f)
检查keytab文件:
rob@robs-ubuntu2: [NFS_Kerberos_Keytabs]$ klist -kte hostname_host_REALM.DOM.COM.keytab Keytab name: FILE:hostname_host_REALM.DOM.COM.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 12/31/1969 19:00:00 host/[email protected] (des-cbc-crc) 2 12/31/1969 19:00:00 host/[email protected] (des-cbc-md5) 2 12/31/1969 19:00:00 host/[email protected] (arcfour-hmac) 2 12/31/1969 19:00:00 host/[email protected] (aes256-cts-hmac-sha1-96) 2 12/31/1969 19:00:00 host/[email protected] (aes128-cts-hmac-sha1-96)
再次,我做了完全相同的事情(除了REALM)在另一个AD DC和keytab文件工作正常。 任何想法,我在这里做错了吗? 不工作的AD密钥标签来自Windows系统,该系统的版本是:“Windows Server Enterprise”,版权为2007和SP 1.另一个是Windows 2012 R2。
谢谢你的帮助,
抢