服务器 Gind.cn
  1. 服务器 Gind.cn
  3. kvno问题+ kerberosauthentication设置咨询
Intereting Posts
列出unix系统上的所有符号链接 SCCM客户端的每个操作实际上都做了什么? 重新configurationDebian或Ubuntu软件包 postfix邮件服务器smtpauthentication与slackware linux 13.1 共享IP托pipe平台上托pipe的域HAProxy后端路由 我如何根据angular色和位置组织Ansible的主机文件? AD gpo的大问题 将浪涌保护器插入UPS 这个VMWare警告是什么意思? …“…videoRAM不足…” build议:公司网站强制https? 从MS安全公告DVD更新WSUS 无法通过ADSL调制解调器访问VPN服务器 Exchange 2010 – 无法发送到特定域 – 421连接由于套接字错误而丢失 使用locate只能find包含string“foo”的目录 如何使用Apache的用户权限运行PHP?

kvno问题+ kerberosauthentication设置咨询

我清楚地发现了一个我无法解决的问题。 我怀疑在Windows Server 2003上设置运行在Centos 6上的服务时,我错过了一些东西。

首先,我告诉我正在工作的环境,我正在努力去做,然后是问题。

我有一个Windows Server 2003没有SP1的IP是xxx.xxx.xxx.xxx和他的名字win2003srv2.ejemplo.org。

在这个Cyrus Imap Server的团队中,我也安装了Thunderbird作为邮件客户端进行testing。

在Active Directory Windows Server 2003中添加一个名为imap的新用户,并具有: 

Logon Name: imap/[email protected] Logon name of user (pre-Windows 2000): EJEMPLO\imap0.

重要的是@ ejemplo.org不会放在首都,因为这个默认设置并不能在窗口中修改来创build用户。

我已经添加了imap的SPN,我有这个名单: 

 C:\Documents and Settings\Administrador>SETSPN -L prueba-mail Registered ServicePrincipalNames for CN=prueba-mail,CN=Computers,DC=ejemplo,DC=org: imap/prueba-mail.ejemplo.org:143 imap/prueba-mail imap/prueba-mail.ejemplo.org host/prueba-mail.ejemplo.org host/prueba-mail

还要在Windows Server 2003上生成密钥表: 

 C:\Documents and Settings\Administrador\Escritorio\TEST>Ktpass -princ imap/[email protected] -mapuser imap -pass zzzzz -crypto DES-CBC-MD5 -out UNIXimap.keytab Targeting domain controller: win2003srv2.ejemplo.org Successfully mapped host/prueba-mail.ejemplo.org to imap0. Key created. Output keytab to UNIXimap.keytab: Keytab version: 0x502 keysize 65 imap/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x85589d4fef0d5e20) Account imap0 has been set for DES-only encryption.

然后将其添加到我有imap服务器的密钥表中。

问题:

当我使用Thunderbirdlogin时,我会看到wireshark(他们被添加到这篇文章的最后),要求TGS票证“imap / test-mail.ejemplo.org”而没有find它。

另外如果我尝试执行这个命令同样的事情发生: 

 kvno imap/[email protected] kvno: Server not found in Kerberos database while getting credentials for imap/[email protected]

但是,kvno imap / [email protected]运行良好: 

 kvno imap/[email protected] imap/[email protected]: kvno = 59

这可能是什么这个想念我find服务?

如果你能find这个“imap / [email protected]”,因为我可以find“imap / [email protected]”?

我在下面显示krb5.conf的内容,并捕获了我用Wireshark所做的任何帮助。

————————- /etc/krb5.conf:—————— —————————— 

 [logging] default = /var/log/krb5libs.log kdc = /var/log/krb5kdc.log admin_server = /var/log/kadmind.log [libdefaults] rdns = false ignore_acceptor_hostname = true default_realm = EJEMPLO.ORG dns_lookup_kdc = false dns_lookup_realm = false kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true default_keytab_name = FILE:/etc/krb5.keytab allow_weak_crypto = yes default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 [realms] FNR.GUB.UY = { kdc = xxx.xxx.xxx.xxx:88 } [domain_realm] .fnr.gub.uy = EJEMPLO.ORG [login] krb4_convert = false

————————————- TGS-REQ ———- ———————————— 

 No. Time Source Destination Protocol Info 6083 26.329448 yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx KRB5 TGS-REQ Frame 6083 (647 bytes on wire, 647 bytes captured) Arrival Time: Jul 26, 2013 11:24:05.747386000 [Time delta from previous captured frame: 0.012354000 seconds] [Time delta from previous displayed frame: 26.329448000 seconds] [Time since reference or first frame: 26.329448000 seconds] Frame Number: 6083 Frame Length: 647 bytes Capture Length: 647 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:kerberos] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: CadmusCo_13:dd:bd (08:00:27:13:dd:bd), Dst: Ibm_a5:b3:46 (00:09:6b:a5:b3:46) Destination: Ibm_a5:b3:46 (00:09:6b:a5:b3:46) Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: CadmusCo_13:dd:bd (08:00:27:13:dd:bd) Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 633 Identification: 0x43c1 (17345) Flags: 0x02 (Don't Fragment) 0.. = Reserved bit: Not Set .1. = Don't fragment: Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0xa9c2 [correct] [Good: True] [Bad : False] Source: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy) Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) User Datagram Protocol, Src Port: 58790 (58790), Dst Port: kerberos (88) Source port: 58790 (58790) Destination port: kerberos (88) Length: 613 Checksum: 0x4d67 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Kerberos TGS-REQ Pvno: 5 MSG Type: TGS-REQ (12) padata: PA-TGS-REQ Type: PA-TGS-REQ (1) Value: 6E8201C6308201C2A003020105A10302010EA20703050000... AP-REQ Pvno: 5 MSG Type: AP-REQ (14) Padding: 0 APOptions: 00000000 .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required Ticket Tkt-vno: 5 Realm: EJEMPLO.ORG Server Name (Service and Instance): krbtgt/EJEMPLO.ORG Name-type: Service and Instance (2) Name: krbtgt Name: EJEMPLO.ORG enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 2 enc-part: 0ACDE6D2981DBF829935A102CB4A7700DD762C8CFFC4B183... Authenticator des-cbc-md5 Encryption type: des-cbc-md5 (3) Authenticator data: 86588D7C6AA08BE142100084FBBB0968878E567AE10228B0... KDC_REQ_BODY Padding: 0 KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize) .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE .... .... ...0 .... .... .... .... .... = Opt HW Auth: False .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation) .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket Realm: EJEMPLO.ORG Server Name (Service and Host): imap/prueba-mail.ejemplo.org Name-type: Service and Host (3) Name: imap Name: prueba-mail.ejemplo.org till: 2013-07-27 00:14:39 (UTC) Nonce: 1374848677 Encryption Types: des-cbc-md5 Encryption type: des-cbc-md5 (3)

—————————————— Reply ——- ———————————- 

 No. Time Source Destination Protocol Info 6084 26.330599 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Frame 6084 (171 bytes on wire, 171 bytes captured) Arrival Time: Jul 26, 2013 11:24:05.748537000 [Time delta from previous captured frame: 0.001151000 seconds] [Time delta from previous displayed frame: 0.001151000 seconds] [Time since reference or first frame: 26.330599000 seconds] Frame Number: 6084 Frame Length: 171 bytes Capture Length: 171 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:kerberos] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: Ibm_a5:b3:46 (00:09:6b:a5:b3:46), Dst: CadmusCo_13:dd:bd (08:00:27:13:dd:bd) Destination: CadmusCo_13:dd:bd (08:00:27:13:dd:bd) Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Ibm_a5:b3:46 (00:09:6b:a5:b3:46) Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 157 Identification: 0x1ed3 (7891) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0xd08c [correct] [Good: True] [Bad : False] Source: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) Destination: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy) User Datagram Protocol, Src Port: kerberos (88), Dst Port: 58790 (58790) Source port: kerberos (88) Destination port: 58790 (58790) Length: 137 Checksum: 0xf316 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Kerberos KRB-ERROR Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2013-07-26 14:24:37 (UTC) susec: 524733 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: EJEMPLO.ORG Server Name (Service and Host): imap/prueba-mail.ejemplo.org Name-type: Service and Host (3) Name: imap Name: prueba-mail.ejemplo.org e-data