我正在使用这些说明在Ubuntu机器上安装Kerberos5-1.12.1。
每当我试图做:
kinit user1 我正面临一个错误:
kinit: Cannot contact any KDC for realm 'UBUNTU' while getting initial credentials
以下是我的krb5.conf和kdc.conf文件:
[libdefaults] default_realm = UBUNTU # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] UBUNTU = { kdc = 172.20.104.226 admin_server = 172.20.104.226 } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = vice28.fs.andrew.cmu.edu kdc = vice2.fs.andrew.cmu.edu kdc = vice11.fs.andrew.cmu.edu kdc = vice12.fs.andrew.cmu.edu admin_server = vice28.fs.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementia.org kdc = kerberos2.dementia.org admin_server = kerberos.dementia.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .ubuntu = UBUNTU ubuntu = UBUNTU [login] krb5_convert = true krb5_get_tickets = false [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log
[kdcdefaults] kdc_ports = 88 [realms] UBUNTU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
我的configuration文件有什么问题? 如果没有人可以请告诉我为什么我得到这个错误?
提前致谢…
[domain_realm] .UBUNTU = UBUNTU UBUNTU = UBUNTU
保留一个registry
虽然这是一个2岁的问题,但我正在回答这个问题,因为我有类似的问题。
LX-141(root)# root/greg>net ads join -S W12R2-C17.jamie_ad1.net -U Administrator%pwd kerberos_kinit_password Administrator@JAMIE_AD1.NET failed: Cannot contact any KDC for requested realm Failed to join domain: failed to connect to AD: Cannot contact any KDC for requested realm
在我的情况下,结果是重新启动Windows机器上的“Kerberos密钥分发中心”服务,这是由某人手动停止或崩溃。
这在Linux端可能是完全相同的问题 – 无响应的KDC服务器。
我希望将来能帮助别人。
如果你安装了krb5-{ admin-server , kdc } ( apt-get install ),那么你的kdc.conf应该在/etc/krb5kdc/kdc.conf
另外,使用更好的enctypes。 现在不是90年代了。
在/etc/samba/smb.conf中检查设置:
客户端使用spnego = yes
解决scheme:重新启动命名的服务,然后正常工作,因为该问题没有沟通,因此重新启动命名的服务。
像这样改变
[realms] UBUNTU = { kdc = UBUNTU admin_server = UBUNTU }